Create PHP news site with admin dashboard and Shopee ad flow

[huzely]

Summary

• Build public news site with slug-based routing, multi-theme UI, Shopee overlay ad flow, and caching
• Add Vietnamese admin panel for login, CRUD bài viết, cài đặt, thống kê, copy link, và đổi theme/logo/banner
• Implement PDO database schema, tracking API với rate-limit, Telegram queue, và cơ chế lỗi/log thân thiện
• Refine Shopee overlay theo đặc tả (bypass ?ad=0, giữ affiliate, chạy trên click slug và truy cập trực tiếp), gộp thông báo click qua Telegram, và truyền token để track ad_click không delay
• Bổ sung thống kê ngày/tháng + reset, API stats mở rộng, cập nhật README và sửa khởi tạo session để tránh cảnh báo trên hosting

Testing

• find public_html -name '*.php' -print0 | xargs -0 -n1 php -l

---

Codex Task

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Restrict draft posts from public access

The post page loads any article by slug without checking status, so unpublished drafts are rendered to anyone who knows or guesses the slug. Because new articles default to draft, a public request to /some-slug will reveal the draft content even though it was never published. Filter by status='public' or require authentication before serving the article.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Add CSRF protection to post deletion

The delete endpoint deletes articles on a GET request without validating a CSRF token. A malicious page can therefore embed an image or link to /admin/post_delete.php?id=… and, if an admin is logged in, their browser will delete the post without consent. Destructive actions should be POST-only with CSRF verification to prevent cross-site deletes.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Move error log out of the public web root

Error logging is configured to write to public_html/logs/app.log, which sits under the publicly served web root and is not blocked by .htaccess, so anyone can download server error logs (including stack traces and DB errors) via /logs/app.log when APP_DEBUG is off. Store logs outside the document root or deny HTTP access to that path to avoid leaking sensitive information.

Useful? React with 👍 / 👎.