Extends getVar() with a new 'defis' filter type that URL-encodes string input while leaving pre-encoded defaults untouched; also normalises all filter key lookups to lowercase so callers may use any casing.
Core changes:
- New filter type (core/security.php):
Add 'defis' => urlencode(trim($v)) to the filters map
- Returns '' (not false) for blank strings
- Skips encoding when the value comes from $default
- Case-insensitive dispatch (core/security.php):
All $filters[$type] lookups replaced with $filters[strtolower($type)]
- Covers both the array-branch and the scalar-branch paths
- Prevents silent no-ops when callers pass mixed-case type strings
- Special defis path (core/security.php):
Dedicated early-return block for 'defis' type
- Falls back to $default as-is (already encoded)
- Returns false only when both value and default are empty
Benefits:
- Enables safe URL-segment encoding via getVar() without raw urlencode() calls
- Eliminates filter-miss bugs caused by type-string casing differences
- Consistent fallback semantics across all filter types
Technical notes:
- No change to existing filter behaviour or function signature
- Backward compatible: callers using lowercase types are unaffected
- 'defis' default is passed through unchanged (expected to be pre-encoded)
Removes stale global variable declarations from forum() and view() to keep function signatures accurate and reduce unnecessary imports.
Core changes:
- Forum frontend (modules/forum/index.php):
- forum(): remove unused $user global
- view(): remove unused $admin_file and $locale globals
Benefits:
- Accurate global declarations prevent confusion during maintenance
- Slight reduction in unnecessary variable imports per request
- Architecture alignment with the $afile rename across the codebase
Technical notes:
- No behavioral change
- Backward compatible
Rewrites the files admin module using standard SLAED conventions: canonical function names, getVar() input handling, prepared SQL statements, and modern template calls. Copyright year updated to 2026.
Core changes:
- Files admin (modules/files/admin/index.php):
- Replace files_navi() with navi() using getAdminTabs()
Rename functions to short canonical names
- files_add() -> add(), files_delete() -> del(), etc.
- Replace all raw $_POST/$_GET with getVar()
- Use prepared SQL statements with named placeholders throughout
- Replace tpl_eval()/tpl_warn() with setTemplateBasic()/setTemplateWarning()
- Replace $admin_file with $afile throughout
- Update op= route names to match new function names
- Switch to single-quoted strings consistently
- Update copyright year to 2026
Benefits:
- SQL injection eliminated throughout the module
- Input validated at entry points via getVar()
- Consistent architecture with other modernized admin modules
- Maintainability improved by short canonical function names
Technical notes:
- op= route values changed to match new function names
- Backward compatible with the database schema
Rewrites the clients admin module using standard SLAED conventions: canonical function names, getVar() input handling, prepared SQL statements, and modern template calls. SQL injection in save/delete queries eliminated. Missing exit after redirects added.
Core changes:
- Clients admin (modules/clients/admin/index.php):
- Replace clients_navi() with navi() using getAdminTabs()
Rename functions to short canonical names:
- clients_add() -> add()
- clients_save() -> save()
- clients_delete() -> del()
- clients_active() -> status()
- clients_info() -> info()
- Replace all raw $_POST/$_GET with getVar()
- Fix SQL injection in save(): prepared statements with named placeholders
- Replace tpl_eval()/tpl_warn() with setTemplateBasic()/setTemplateWarning()
- Replace $admin_file with $afile throughout
- Add exit after header() in del() and status()
- Rewrite switch to compact form with named cases
- Add missing newline at end of file
Benefits:
- SQL injection in save and delete queries eliminated
- Input sanitized via getVar() throughout
- Missing exit after redirect now present
- Consistent naming convention across admin modules
Technical notes:
- op= route values changed to match new function names
- Backward compatible with the database schema
Rewrites the auto_links admin module to follow current SLAED architecture: standard function naming, getVar() input handling, prepared SQL statements, and modern template calls. SQL injection in the stats query is eliminated. Copyright year updated to 2026.
Core changes:
- Auto-links admin (modules/auto_links/admin/index.php):
- Replace auto_links_navi() with navi() using getAdminTabs()
Rename all functions to short canonical names:
- auto_links_stat() -> stats()
- auto_links_add() -> add()
- auto_links_save() -> save()
- auto_links_delete() -> del()
- auto_links_conf() -> conf()
- auto_links_conf_save() -> confsave()
- auto_links_info() -> info()
- nullhits() and noindel() extracted from switch as named functions
- Replace all raw $_POST/$_GET with getVar()
- Fix SQL injection in stats(): prepared statement with :lid placeholder
- Replace tpl_eval()/tpl_warn() with setTemplateBasic()/setTemplateWarning()
- Replace $admin_file/$aroute with $afile throughout
- Use $conf['auto_links'] sub-array instead of $confal
- Rewrite switch to compact form with named cases
- Remove closing ?>
- Update copyright year to 2026
Benefits:
- SQL injection in stats query eliminated
- Input validated through getVar() at all entry points
- Consistent naming convention with other modernized modules
- Maintainability improved by short, readable function names
Technical notes:
- op= route values changed to match new function names
- $confal replaced by $conf['auto_links'] sub-array
- Routing layer must map new op names
Aligns the account admin and frontend module with the canonical $afile variable, and removes unused globals from checkuser() and view().
Core changes:
- Account admin (modules/account/admin/index.php):
Replace $aroute with $afile in navi(), users(), add(), addsave(), newuser(), nullpoints(), nullsave(), conf(), save(), newdel(), del()
- Fix navi() call spacing: navi(0,0,0,0) -> navi(0, 0, 0, 0)
- Account frontend (modules/account/index.php):
- Replace $admin_file with $afile in view()
- Remove unused $conf from checkuser() globals
Benefits:
- Consistent $afile usage across frontend and admin sides
- Eliminates unnecessary global imports
- Architecture alignment with modernized modules
Technical notes:
- No behavioral change; pure identifier rename
- Backward compatible
Eliminates the legacy $aroute variable from all four admin panel modules, replacing it with the canonical $afile identifier. Also removes the pwd field from admin list and edit queries to avoid exposing password hashes unnecessarily in list views.
Core changes:
- Admins manager (admin/modules/admins.php):
- Replace $aroute with $afile in admins(), add(), save(), del()
- Remove pwd column from SELECT in admins() list query
- Remove pwd from SELECT and list() destructuring in add()
- Blocks manager (admin/modules/blocks.php):
Replace $aroute with $afile in all functions
- add(), fileadd(), fileedit(), fix(), addsave(), filecode()
- filecodesave(), edit(), editsave(), change(), del()
- Config manager (admin/modules/config.php):
- Replace $aroute with $afile in config(), save()
- Modules manager (admin/modules/modules.php):
- Replace $aroute with $afile in navi(), modules(), edit(), status(), save()
Benefits:
- Consistent use of $afile across the entire admin panel
- Removing pwd from queries reduces attack surface in list views
- Simpler global declarations in each function
Technical notes:
- No behavioral change beyond the variable rename
- $afile is injected by the admin bootstrap
- Backward compatible
Makes the RSS reader safe against slow/unreachable feeds, broken charset declarations, and undefined array offsets that previously caused PHP warnings or silent failures.
Core changes:
- RSS reader (core/system.php):
Add stream context with 10-second timeout and follow_location
- Prevents blocking on unresponsive remote feeds
- Suppresses file_get_contents warnings via set/restore_error_handler
Fix charset detection and iconv call
- Regex now matches both double- and single-quoted encoding attr
- Use iconv with //IGNORE to skip unconvertible bytes gracefully
Replace parse_url() array dereference with parse_url($url, PHP_URL_HOST)
- Eliminates need to unpack ['host'] with a fallback
Use null-coalescing defaults for $rss_title, $rss_date, $rss_guid, $rss_desc
- Prevents undefined offset warnings when items lack fields
Guard strtotime() with !== false check
- Avoids passing false to date()
- Change $items[1] truthiness check to !empty()
Benefits:
- No more blocking requests for dead or slow RSS feeds
- Eliminates PHP warnings on malformed or incomplete feeds
- Safer charset conversion without data loss
Technical notes:
- Requires PHP stream wrappers to be enabled (default on all installs)
- No schema or config changes required
- Backward compatible with existing RSS block configs
Standardizes the admin file path variable name across core files, aligning with the canonical $afile identifier used throughout the rest of the system. Also trims unused global declarations.
Core changes:
- Admin utilities (core/admin.php):
Replace all $admin_file references with $afile
- getAdminTabs(): nav link generation
- admininfo(): dashboard block links
- ajax_cat(): AJAX category actions
- ajax_block(): AJAX block actions
- navi_gen() (commented-out legacy): updated for consistency
- Add $confu to fav_aliste() globals
- User utilities (core/user.php):
Replace $admin_file with $afile in setMessageShow()
- Admin edit link in the message block
- Remove unused $conf from checkuser() in setComShow() context
Benefits:
- Single canonical name for the admin file path variable
- Reduces confusion between $admin_file and $aroute variants
- Architecture alignment with module-level code
Technical notes:
- No behavioral change; pure identifier rename
- $afile is already defined in the admin bootstrap
- Backward compatible
Replaces direct superglobal access in frontend/admin modules with typed getVar() calls and adds safer update patterns in critical paths to reduce inconsistent filtering and prepare modules for stricter validation rules.
Core changes:
- Request normalization across modules (multiple modules/*/index.php):
Replaced direct $_POST/$_GET reads with getVar('post'|'get', ..., 'text'|'num'|'array').
- Standardizes input typing and fallback behavior.
- Reduces duplicated manual isset/intval/substr patterns.
- Kept existing business logic and flow while tightening data entry points.
- Safer persistence/update paths (account and selected module handlers):
- Updated write operations to use safer parameter passing where introduced.
- Preserved compatibility with current module interfaces and routing.
Benefits:
- Better reliability of request parsing.
- Improved maintainability through consistent input access patterns.
- Stronger security baseline for future hardening.
Technical notes:
- No schema/storage format changes.
- Module endpoints and operation names remain unchanged.
- Backward compatibility preserved at API and template level.