CS238-Forum-Website/createpost.php at master · jpeg/CS238-Forum-Website · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
<?php
include 'config.php';
include 'template.php';

template_head('Create Post', 'Jason Gassel, Josh Galan, Matthew McKeller');
template_forum_header();

if(isset($_POST['submit']))
{
  $db = new mysqli($db_server, $db_user, $db_password) or die('<div class="failure">ERROR: Database connection failed</div>');
  if($db->select_db($db_database))
  {
    if(isset($_GET['new']))
    {
      $type = ThreadType::Normal;
      $question = 'NULL';
      if(isset($_POST['question']) && $_POST['question'] != NULL && $_POST['question'] != '')
      {
        // Check at least one option for poll
        $hasOption = false;
        for($i=1; $i<=6; $i++)
        {
          if(isset($_POST['option'.$i]) && $_POST['option'.$i] != NULL && $_POST['option'.$i] != '')
          {
            $hasOption = true;
            break;
          }
        }
        if($hasOption)
        {
          $type += ThreadType::Poll;
          $question = htmlspecialchars($db->real_escape_string($_POST['question']), ENT_HTML5);
          $question = '"'.$question.'"'; //string for mysql insert
        }
      }
      $tag = 'NULL';
      if(isset($_POST['tag']) && $_POST['tag'] != NULL && $_POST['tag'] != '')
      {
        $type += ThreadType::Sticky;
        $tag = htmlspecialchars($db->real_escape_string($_POST['tag']), ENT_HTML5);
        $tag = '"'.$tag.'"'; //string for mysql insert
      }
      $db->query('INSERT INTO thread (uid, title, type, question, tag) VALUES('.$_SESSION['uid'].', "'.htmlspecialchars($db->real_escape_string($_POST['title']), ENT_HTML5)."\", $type, $question, $tag)");
      $tid = mysqli_insert_id($db);

      if(isset($_POST['question']) && $_POST['question'] != NULL && $_POST['question'] != '')
      {
        $j = 1;
        for($i=1; $i<=6; $i++)
        {
          if(isset($_POST['option'.$i]) && $_POST['option'.$i] != NULL && $_POST['option'.$i] != '')
          {
            $db->query("INSERT INTO poll_option (tid, oid, option_text) VALUES($tid, $j, \"".htmlspecialchars($db->real_escape_string($_POST['option'.$i]), ENT_HTML5).'")');
            $j++;
          }
        }
      }
    }
    elseif(isset($_GET['thread']))
      $tid = (int)$_GET['thread'];
    else
      die("<h4 style=\"text-align: center;\">ERROR: You're not supposed to be here...\n");

    $db->query("INSERT INTO post (tid, uid, date, time, text) VALUES($tid, ".$_SESSION['uid'].', CURDATE(), CURTIME(), "'.htmlspecialchars($db->real_escape_string($_POST['post']), ENT_HTML5).'")');
    $db->close();
?>
<script>
window.location = "viewthread.php?thread=<?= $tid; ?>";
</script>
<?php
    die();
  }
  else
  {
    echo "    <h4 style=\"text-align: center;\">Database not found: <a href=\"install.php\">Install</a></h4>\n";
    $db->close();
  }
}

echo "    <form name=\"postForm\" action=\"createpost.php?".(isset($_GET['new']) ? 'new' : '').(isset($_GET['thread']) ? '&thread='.$_GET['thread'] : '')."\" method=\"post\">";
if(isset($_GET['new']))
  echo "      <label for=\"title\">Thread Title:</label><input type=\"text\" name=\"title\" required autofocus /><br />\n";
?>
      <textarea name="post" rows=10 cols=50 maxlength=10000 required <?= isset($_GET['new']) ? '' : 'autofocus' ?>></textarea><br />
<?php
if(isset($_GET['new']))
{
?>
      <label for="question">Poll Question:</label><input type="text" name="question" /><br />
      <label for="option1">Option 1:</label><input type="text" name="option1" /><br />
      <label for="option2">Option 2:</label><input type="text" name="option2" /><br />
      <label for="option3">Option 3:</label><input type="text" name="option3" /><br />
      <label for="option4">Option 4:</label><input type="text" name="option4" /><br />
      <label for="option5">Option 5:</label><input type="text" name="option5" /><br />
      <label for="option6">Option 6:</label><input type="text" name="option6" /><br />
      <label for="tag">Sticky Tag:</label><input type="text" name="tag" /><br />
<?php
}
?>
      <input type="submit" value="Submit" name="submit" />
    </form>
<?php

template_footer();
?>