Create PHP news site with admin dashboard and Shopee ad flow#35
Create PHP news site with admin dashboard and Shopee ad flow#35
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if (!$post) { | ||
| $stmt = $pdo->prepare('SELECT * FROM articles WHERE slug = :slug LIMIT 1'); | ||
| $stmt->execute([':slug' => $slug]); | ||
| $post = $stmt->fetch(); | ||
| if ($post) { | ||
| cache_set($cacheKey, $post, 45); |
There was a problem hiding this comment.
The public post endpoint fetches any article by slug without checking status, so draft or otherwise unpublished posts become fully readable whenever someone guesses or retains the slug, even though the homepage only lists status='public'. This leaks content intended to stay hidden; consider enforcing status='public' (or an auth check) in this query before rendering.
Useful? React with 👍 / 👎.
| $id = (int)($_GET['id'] ?? 0); | ||
| $stmt = $pdo->prepare('DELETE FROM articles WHERE id = :id'); | ||
| $stmt->execute([':id' => $id]); |
There was a problem hiding this comment.
post_delete.php deletes an article directly from a GET parameter with no CSRF verification, so any logged-in admin can be forced to hit /admin/post_delete.php?id=... via a malicious link and silently delete content. Align this with the other admin forms by requiring POST plus a CSRF token before executing the delete.
Useful? React with 👍 / 👎.
1 participant
Summary
Testing
Codex Task