Raw header() calls without exit were used for geo-IP language redirects and fallback routing, violating the SLAED guardrail (exit after every redirect). setRedirect() encapsulates both header() and exit atomically.
Core changes:
- Geo-IP language redirect block (index.php):
header('Location: index.php?newlang=...') → setRedirect(...) for en, fr, de, pl, ru, uk locales (6 occurrences)
- Removes implicit fall-through risk after redirect
- Fallback routing block (index.php):
header('Location: index.php') + exit → setRedirect('index.php') (2 occurrences; exit now handled internally by setRedirect)
Benefits: - Guardrail compliance: no output possible after redirect - Reduced duplication: exit not repeated manually - Architecture alignment with setRedirect() API
Technical notes: - setRedirect() defaults to HTTP 302; behavior unchanged - Backward compatibility: identical HTTP response for clients
The copyright line in 14 admin module files contained a mojibake sequence (•) instead of the UTF-8 © symbol, caused by incorrect encoding during a prior batch operation.
Core changes:
- Copyright header fix (14 files: modules/*/admin/index.php):
clients, contact, content, faq, files, forum, help, jokes, links, news, order, pages, rss, voting, whois
- • 2005 - 2026 → © 2005 - 2026
Benefits: - Correct UTF-8 output in file headers across all admin modules - Consistent copyright notice project-wide
Technical notes: - Single-character encoding fix; no logic changes - Backward compatibility: not applicable
Follow-up fixes after the main VerbNoun rename commit: corrects navi() naming conflict, optimizes getUserNav(), and updates all function comments.
Core changes:
- navi() → getUserNav(): string (core/user.php):
- Renamed to avoid collision with admin navi() in modules/account/admin
- Added missing return type declaration: string
- 4 parallel arrays → single $navs tuple array
- getUserInfo() null-safe: (getUserInfo() ?? [])['user_id'] ?? 0
- $conf['shop'] global mutation removed; replaced with ?? 0 read
- Strict comparisons: != → !, 1 → === 1
- foreach destructuring: [$titl, $itit, $link, $icon]
- Function comments updated (core/user.php):
- All 19 functions now have accurate, descriptive single-line comments
- Old comments reflected legacy names (savecom, editpost, prmess, etc.)
- Call sites updated (3 files):
- modules/account/index.php (4 calls)
- modules/clients/index.php (1 call)
- modules/shop/index.php (2 calls)
Benefits: - No redeclaration risk between user and admin navi() - $navs tuple pattern eliminates parallel-array sync errors - Null-safe uid lookup prevents notices on unauthenticated edge cases
Standardizes all 16 non-conforming function names in core/user.php and updates every call site across 20 files so the codebase is consistent with the approved verb set (get, set, add, update, delete, is, check, filter).
Core changes:
- Function renames (core/user.php):
- getusrinfo() → getUserInfo() (no camelCase)
- is_mod_group() → isModGroup() (snake_case)
- userblock() → getUserBlock() (missing verb)
- savecom() → addComment() (save not in SLAED verbs)
- editpost() → updatePost() (edit not in SLAED verbs)
- prmess() → getPmView() (no verb, no camelCase)
- prmesssend() → addPmMsg() (no verb, no camelCase)
- prmesssave() → setPmSaved() (no verb, no camelCase)
- prmessdel() → deletePmMsg() (no verb, no camelCase)
- favorview() → getFavorBtn() (no verb, no camelCase)
- favoradd() → addFavor() (verb at end, no camelCase)
- favorliste() → getFavorList() (no verb, no camelCase)
- favordel() → deleteFavor() (no verb, no camelCase)
- rss_channel() → getRssChannel() (snake_case)
- open_search() → getOpenSearch() (snake_case)
- open_xsl() → getOpenXsl() (snake_case)
- Code quality fixes (core/user.php):
- list() → [] destructuring (28 occurrences)
- Indentation: 1-space global lines → 4 spaces
- getFavorBtn($fid, $mod): added type hints int/string
- Strict comparisons in isModGroup() and addComment()
- Call sites updated in 20 files:
- core/system.php, core/template.php, index.php
- blocks/block-user_info.php, templates/lite/index.php
modules/account, auto_links, contact, faq, files, forum, help, links, media, money, news, order, pages, recommend, shop
Benefits: - Consistent SLAED VerbNoun naming across core/user.php - list() removal eliminates PHP 8 deprecation warnings - Strict comparisons prevent type-juggling edge cases
Technical notes: - op= URL routing strings (savecom, editpost, prmess, etc.) unchanged - No logic changes; signature types only on getFavorBtn - Backward compatibility: internal API only
addmail() collided with addMail() (core/security.php) because PHP function names are case-insensitive; renamed to addAdminMail() to follow VerbNoun convention and eliminate the fatal redeclaration error.
Core changes:
- Function declaration (core/system.php):
- addmail() → addAdminMail(); comment updated
- No logic changes, signature unchanged
- Call sites (11 files):
- core/user.php
- modules/news, links, files, media, jokes, faq, pages, help, whois, auto_links
Benefits: - Resolves Fatal error: Cannot redeclare function addMail() - Consistent VerbNoun camelCase naming per SLAED §3-4 - No ambiguity between low-level addMail() and admin-notify addAdminMail()
Technical notes: - addMail() (security.php) queues a single email - addAdminMail() (system.php) dispatches notifications to all subscribed admins - Backward compatibility: internal API only; no external callers
Replaces all remaining legacy function calls that were missed in the previous Refactor commit, ensuring system.php is consistent with the merged isAdmin(bool \$super = false) API in core/security.php.
Core changes:
- Function call replacements (core/system.php):
- is_admin() → isAdmin() (12 occurrences)
- isAdminSuper() → isAdmin(true) (4 occurrences)
Benefits: - No legacy shim required; all call sites now use unified API - Static cache in isAdmin() shared across all 16 call sites per request - One DB query per request regardless of super check
Technical notes: - isAdmin(true) is equivalent to removed isAdminSuper() - isAdmin() is equivalent to removed is_admin() - Backward compatibility: none needed; legacy functions deleted
Migrates remaining save_datetime() calls to the unified getVar() API, and corrects a single-quote style issue in the changelog French language file.
Core changes:
- modules/faq/admin/index.php:
- save_datetime(1, 'time') → getVar('req', 'time', 'time') (×2, add/save)
- modules/changelog/language/fr.php:
- Double to single quote on one define() line
Benefits: - Consistent input handling via getVar() throughout admin modules - No more calls to removed save_datetime() helper
Technical notes: - Behaviour unchanged; getVar 'time' type validates and formats identically
Adapts all test files to the camelCase rename sprint: function calls, helper wrappers and comments updated throughout the Unit and integration test suites.
Core changes:
- tests/Unit/InputFilterTest.php:
- saveText → filterHtml in helper and comments
- tests/Unit/PasswordHashTest.php, TemplateIfTest.php:
- Minor naming alignment
- tests/bootstrap.php:
- Updated function references
- Validation tests (BlockValidationTest, SecurityValidationTest, etc.):
- Updated function name expectations
Benefits: - Test suite reflects current API - No regressions introduced by the rename sprint
Technical notes: - phpunit: all tests expected to pass after rename completion
Updates all user-facing and developer-facing documentation to reflect the camelCase function rename sprint completed in core/security.php.
Core changes:
- CONTRIBUTING.md:
- getVar() type table updated (filterWord, filterHtml, filterFields)
- SECURITY.md:
- New section: renamed security functions reference table (20 entries)
- UPGRADING.md:
- Breaking changes section: full migration table for renamed functions
- Version history updated
- docs/TEMPLATES.md:
- Date updated to 2026
- docs/TESTS.md:
- Function names updated to camelCase equivalents
Benefits: - Developers can look up old names and find new equivalents - Migration path is clearly documented for upgraders
Technical notes: - No code changes; documentation only - Covers all renames tracked in GLOSSARY.md
Completes the security/utility function rename sprint: all legacy snake_case identifiers in core/security.php are replaced with camelCase VerbNoun names per SLAED coding standard §3-4, and every call site across the project is updated accordingly.
Core changes:
- Function renames (core/security.php):
- log_report() → addLog()
- is_admin_god() / is_admin() → isAdmin(bool $super = false)
- get_host() → getHost()
- get_referer() → getReferer()
- zip_check() / zip_compress() → checkCompress() / addCompress()
- isVar() / analyze() → filterVar()
- url_filter() → filterUrl()
- num_filter() → filterNum()
- var_filter() → filterWord()
- text_filter() → filterText()
- cutstrc() → filterCut()
- ed2k_link() → getEd2kLink()
- url_clickable() → filterClickable()
- save_text() → filterHtml()
- fields_save() → filterFields()
- display_time() → getDuration()
- rest_time() → getTimeLeft()
- mail_send() → addMail()
- doHackReport() → addHackReport()
- doWarnReport() → addWarnReport()
- error_sql_log() → addSqlLog() (core/classes/pdo.php)
- isAdmin() optimisation (core/security.php):
- Merged isAdminSuper() into isAdmin(bool $super = false)
- Single DB query fills both cache slots (key 0 and key 1)
- hash_equals() for constant-time password comparison
- Strict === throughout; getSqlRow() null-guard added
- Variable renames (core/security.php):
- $ua → $uagt, $ag → $agent, $ipt_base → $iptbase
- $array_index → $arridx, $is_array_all → $allarr
- $date_time → $dtime
- Bug fixes (core/security.php):
- @ suppression removed from $lwrite closure
- getIp() / getAgent() hoisted out of blocker foreach loop
- setCookies() uses implode() instead of fixed $value[0..5] indexing
- getTimeLeft() calls time() once; getHost() has ?: '' fallback
- getSqlRow() null-guard added via ?? ['', '', '']
- Call sites updated across 68 files:
- admin/modules/*.php, modules//index.php, modules//admin/index.php
- core/admin.php, core/system.php, core/user.php, templates/admin/index.php
- core/legacy.php removed (empty guard-only file)
Benefits: - Consistent camelCase API throughout the project - Merged admin-check function reduces DB queries per request - Security hardened: timing-safe comparison, no error suppression
Technical notes: - All renames tracked in .agents/skills/slaed/GLOSSARY.md - php -l: no syntax errors in all changed files - Backward compatible: no public API exposed outside this project
