<?php
  // include shared code
  include '../lib/common.php';
  include '../lib/db.php';
  include '../lib/functions.php';
  include '../lib/User.php';
  
  // 401 file included because user should be logged in to access this page
  include '401.php';
  
  // retrive user information
  $user\; =\; User::getById($_SESSION['userId']);
  
  // validate incoming values
  $forum\_id\; =\; (isset($_GET['fid'])) ? (int)$\_GET[\text{'}fid\text{'}]\; :\; 0;$query = sprintf('SELECT FORUM_ID FROM \%sFORUM WHERE FORUM_ID = \%d',
      DB_TBL_PREFIX, $forum\_id);$result = mysql_query($query,$GLOBALS['DB']);
  if (!mysql_num_rows($result))\; \{\; mysql\_free\_result($result);
      mysql_close($GLOBALS[\text{'}DB\text{'}]);\; die(\text{'}$<p>Invalid forum id.</p>');
  }
  mysql_free_result(result);
  
  $msg\_id\; =\; (isset($_GET['mid'])) ? (int)$\_GET[\text{'}mid\text{'}]\; :\; 0;$query = sprintf('SELECT MESSAGE_ID FROM \%sFORUM_MESSAGE WHERE ' . 
      'MESSAGE_ID = \%d', DB_TBL_PREFIX, $msg\_id);$result = mysql_query($query,$GLOBALS['DB']);
  if (result))
  {
      mysql_free_result($result);\; mysql\_close($GLOBALS['DB']);
      die('<p>Invalid forum id.</p>');
  }
  mysql_free_result($result);$msg_subject = (isset($\_POST[\text{'}msg\_subject\text{'}]))\; ?\; trim($_POST['msg_subject']) : '';
  $msg\_text\; =\; (isset($_POST['msg_text'])) ? trim($\_POST[\text{'}msg\_text\text{'}])\; :\; \text{'}\text{'};$// add entry to the database if the form was submitted and the necessary
  // values were supplied in the form
  if (isset(_POST['submitted']) && msg_text)
  {
      $query\; =\; sprintf(\text{'}INSERT\; INTO$\%sFORUM_MESSAGE (SUBJECT, ' .
          'MESSAGE_TEXT, PARENT_MESSAGE_ID, FORUM_ID, USER_ID) VALUES ' .
          '("\%s", "\%s", \%d, \%d, \%d)', DB_TBL_PREFIX,
          mysql_real_escape_string(msg_subject, $GLOBALS[\text{'}DB\text{'}]),\; mysql\_real\_escape\_string($msg_text, $GLOBALS[\text{'}DB\text{'}]),$msg_id, $forum\_id,$user->userId);
      mysql_query($query,$GLOBALS['DB']);
      echo mysql_error();
  
      // redirect
  
      header('Location: view.php?fid=' . $forum\_id\; .\; (($msg_id) ? 
          '&mid=' . $msg\_id\; :\; \text{'}\text{'}));\; \}$// form was submitted but not all the information was correctly filled in
  else if (isset(_POST['submitted']))
  {
      $message\; =\; \text{'}$<p>Not all information was provided.  Please correct ' .
          'and resubmit.</p>';
  }
  
  // generate the form
  ob_start();
  if (isset(message)) echo $message;\; ?>$<form method="post" 
   action="<?php echo htmlspecialchars(_SERVER['PHP_SELF']) . '?fid=' .
   msg_id; ?>">
   <div>
    <label for="msg_subject">Subject:</label>
    <input type="input" id="msg_subject" name="msg_subject" value="<?php
     echo htmlspecialchars($msg\_subject);\; ?>"/>$<br/>
    <label for="msg_text">Post:</label>
    <textarea id="msg_text" name="msg_text"><?php
     echo htmlspecialchars(msg_text); ?></textarea>
    <br/>
    <input type="hidden" name="submitted" value="1"/>
    <input type="submit" value="Create"/>
   </div>
  </form>
  <?php
  $GLOBALS[\text{'}TEMPLATE\text{'}][\text{'}content\text{'}]\; =\; ob\_get\_contents();\; ob\_end\_clean();$// display the page
  include '../templates/template-page.php';
  ?>