4.8 KiB
Concerns & Technical Debt
Last updated: 2026-03-12
Security Issues
HIGH — Sensitive data logged to public file
File: autoload/front/Controllers/ShopOrderController.php:32
file_put_contents('tpay.txt', print_r($_POST, true) . print_r($_GET, true), FILE_APPEND);
- Logs entire POST/GET (including payment data) to
tpay.txtlikely in webroot - Possible information disclosure
- Fix: Remove log or write to non-public path (e.g.,
/logs/)
HIGH — Hardcoded payment seed
File: autoload/front/Controllers/ShopOrderController.php:105
hash("sha256", "ProjectPro1916;" . round($summary_tmp, 2) ...)
- Hardcoded secret in source — should be in
config.php
MEDIUM — SQL table name interpolated
File: autoload/Domain/Integrations/IntegrationsRepository.php:31
$stmt = $this->db->query("SELECT * FROM $table");
- Technically mitigated by whitelist in
settingsTable(), but violates "no SQL string concatenation" rule - Fix: Use Medoo's native
select()method
MEDIUM — Path traversal in unlink()
Files: autoload/Domain/Product/ProductRepository.php:1605,1617,2129,2163 and autoload/Domain/Article/ArticleRepository.php:321,340,823,840
if (file_exists('../' . $row['src'])) {
unlink('../' . $row['src']);
}
- Path from DB, no traversal check
- A DB compromise could delete arbitrary files
- Fix:
$basePath = realpath('../upload/');
$fullPath = realpath('../' . $row['src']);
if ($fullPath && strpos($fullPath, $basePath) === 0) {
unlink($fullPath);
}
MEDIUM — Unsanitized output in templates
Files:
templates/articles/article-full.php— article title and$_SERVER['SERVER_NAME']concatenated without escapingtemplates/articles/article-entry.php—$urland article titles not escaped
MEDIUM — Missing CSRF tokens
- No evidence of CSRF tokens on admin panel forms
- State-changing POST endpoints (create/update/delete) are potentially CSRF-vulnerable
Architecture Issues
IntegrationsRepository too large (875 lines)
File: autoload/Domain/Integrations/IntegrationsRepository.php
Does too many things: settings CRUD, logging, Apilo OAuth, product sync, webhook handling, ShopPRO import.
Suggested split: ApiloAuthManager, ApiloProductSyncService, ApiloWebhookHandler, IntegrationLogRepository, IntegrationSettingsRepository
ProductRepository too large (3583 lines)
File: autoload/Domain/Product/ProductRepository.php
Candidate for extraction of: pricing logic, image handling, cache management, Google feed generation.
ShopProductController too large (1199 lines)
File: autoload/admin/Controllers/ShopProductController.php
Helpers.php too large (1101 lines)
File: autoload/Shared/Helpers/Helpers.php
Static utility god class. Extract into focused service classes.
Duplicate email logic
\Shared\Helpers\Helpers::send_email()and\Shared\Email\Email::send()both wrap PHPMailer- Should be unified in
\Shared\Email\Email - Documented in
docs/MEMORY.md
47 global $mdb usages remain
- DI is complete in Controllers, but some Helpers methods still use
global $mdb - Should be gradually eliminated
Dead Code / Unused Files
| File | Issue |
|---|---|
libraries/rb.php |
RedBeanPHP — no references found in autoload, candidate for removal |
cron-turstmate.php (note: typo) |
Legacy/questionable cron handler |
devel.html |
Development artifact in project root |
output.txt |
Artifact file |
libraries/filemanager-9.14.1/ + 9.14.2/ |
Duplicate versions |
Missing Error Handling
IntegrationsRepository.php:163-165— DB operations after Apilo token refresh lack try-catchShopOrderController.php:32—file_put_contents()return value not checkedProductRepository.php:1605—unlink()without error handlingcron.php:2—error_reporting(E_ALL ^ E_NOTICE ^ E_STRICT ^ E_WARNING ^ E_DEPRECATED)silences all warnings, hiding potential bugs
Known Issues (from docs/TODO.md & docs/MEMORY.md)
| Issue | Location | Status |
|---|---|---|
| Newsletter save/unsubscribe needs testing | Domain/Newsletter/ |
Open |
| Duplicate email sending logic | Helpers.php vs Email.php |
Open |
$mdb->delete() 2-arg pitfall |
Documented in MEMORY.md | Known pitfall |
Summary by Priority
| Priority | Count | Key Action |
|---|---|---|
| Immediate (security) | 5 | Remove tpay.txt logging, fix path traversal, move hardcoded secret to config |
| High (architecture) | 3 | Split IntegrationsRepository, unify email logic, add CSRF |
| Medium (quality) | 4 | Escape template output, add try-catch, remove dead files |
| Low (maintenance) | 3 | Remove rb.php, reduce Helpers.php, document helpers usage |