Build shared-hosting news site with ad flow and themes

[huzely]

Summary

• rebuild news portal to required public_html structure with themeable frontend, slug routing via .htaccess, and Shopee overlay flow
• add admin CRUD/settings/stats pages using PDO, CSRF, rate-limit tracking API, and Telegram notification helpers
• include MySQL schema with seed data, config.php-based settings, and README tailored for dataonline.vn deployment

Testing

• php -l on all PHP files

---

Codex Task

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Logout endpoint never invalidates the session

The logout handler calls admin_logout() without ever calling session_start(), while admin_logout() only invokes session_destroy(). PHP ignores session_destroy() when no session is active, so this endpoint redirects without clearing the session cookie or data and the admin remains logged in. Start the session before destroying it (or call session_start() inside admin_logout()) so logout actually ends the session.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

File uploads accept arbitrary executable types

The settings form saves uploaded logo/banner files directly to public_html/assets/img using the user-supplied extension and without any MIME/type whitelist or path checks. An authenticated admin can therefore upload a PHP file (or other executable) and have it written to a web-accessible location, leading to straightforward remote code execution. Validate the file type and restrict extensions/paths before moving the upload.

Useful? React with 👍 / 👎.