Create PHP news site with admin dashboard and Shopee ad flow#36
Create PHP news site with admin dashboard and Shopee ad flow#36
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| $stmt = $pdo->prepare('SELECT * FROM articles WHERE slug = :slug LIMIT 1'); | ||
| $stmt->execute([':slug' => $slug]); | ||
| $post = $stmt->fetch(); | ||
| if ($post) { |
There was a problem hiding this comment.
The post page queries by slug without checking status, so hitting /some-slug returns the article even if it is still a draft. That leaks unpublished content to anyone who guesses or receives the slug; the homepage hides drafts but the direct route does not. Add a status='public' constraint (and invalidate the cache) before rendering the page.
Useful? React with 👍 / 👎.
| $id = (int)($_GET['id'] ?? 0); | ||
| $stmt = $pdo->prepare('DELETE FROM articles WHERE id = :id'); | ||
| $stmt->execute([':id' => $id]); |
There was a problem hiding this comment.
The delete endpoint executes on a GET request and never calls verify_csrf, so any webpage visited by a logged-in admin can trigger /admin/post_delete.php?id=... and delete arbitrary articles via a crafted link. Destructive admin actions should require POST and validate the CSRF token to prevent cross-site request forgery.
Useful? React with 👍 / 👎.
1 participant
Summary
Testing
Codex Task