Create PHP news site with admin dashboard and Shopee ad flow

[huzely]

Summary

• Build public news site with slug-based routing, multi-theme UI, Shopee overlay ad flow, and caching
• Add Vietnamese admin panel for login, CRUD bài viết, cài đặt, thống kê, copy link, và đổi theme/logo/banner
• Implement PDO database schema, tracking API với rate-limit, Telegram queue, và cơ chế lỗi/log thân thiện
• Refine Shopee overlay theo đặc tả (bypass ?ad=0, giữ affiliate, chạy trên click slug và truy cập trực tiếp) và gộp thông báo click qua Telegram
• Bổ sung thống kê ngày/tháng + reset, API stats mở rộng, cập nhật README và sửa khởi tạo session để tránh cảnh báo trên hosting

Testing

• find public_html -name '*.php' -print0 | xargs -0 -n1 php -l

---

Codex Task

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Prevent drafts from being served via slug route

The article page loads whatever row matches the slug without filtering on status, so hitting /{slug} will render drafts or other unpublished records if their slug is known or guessed. That bypasses the admin publish flag and caches the content for 45 seconds, exposing drafts to anonymous visitors. Add a status='public' condition (and avoid caching otherwise) before rendering the page.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Record ad overlay clicks via tracking API

The ad overlay click handler only opens the article and redirects to the Shopee link, but never calls trackEvent//api/track.php with the ad_click event. As a result the events table stays empty for ad clicks and admin stats/Telegram aggregation (used in admin/dashboard.php, admin/stats.php, and api/stats.php) will always report zero even when users interact with the overlay. Trigger the tracking call (with the slug and CSRF token already emitted on the page) when the overlay is clicked before redirecting.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Protect delete endpoint with CSRF

The delete endpoint deletes posts on a simple GET request with no CSRF verification. Any page can trigger GET /admin/post_delete.php?id=… (e.g., via an image tag) in the admin’s browser, deleting content as soon as they are logged in despite the confirmation on the listing page. Align it with the other admin forms by requiring POST plus csrf_token before executing the delete.

Useful? React with 👍 / 👎.