feedback system for static web pages

Static web pages have a lot of advantages, but they don't let people easily respond with comments to the page author, even though HTML forms do allow some limited feedback.

I could make a single ordinary HTML feedback form which is called from every comment link on every page, but that has a problem. Many people would not realise that I can't know what item they are responding to. They might send me a statement like, "This was interesting," which would be useless because I'd have no idea what they were referring to.

I could make a comment form for each item on my website, but with more than a hundred items on my site that I invite comments for, that could get very unwieldy very quickly.

So I realised I could use ordinary HTML links to look like they're sent from non-existent GET forms calling a PHP script on my server. (Most servers have PHP installed.) This means the link has, after the main part of the address, a question mark, followed by a quick description of the item it refers to, for example:
<a href="feedback-form.php?title=Selena%20City&media=novel">comment.</a>

As you can see, the link has, appended to the address, the title and media of the object, which is sent to the first php script, "feedback-form.php". This lets me know what item the person is commenting on, so I don't have to rely upon them mentioning it in their comment. (Here is an example fake-get.html file.)

The PHP script uses the information contained in the link to dynamically create an ordinary HTML form for that particular topic. The person fills out as much or as little info in the form as they wish and clicks "send". The contents of the form are POSTed back to a second PHP script which then builds an email out of the text sent by the person and sends it to me.

feedback-form.php

<?php
if(empty($_GET['title']))
{
	//This page should not be accessed directly. Need to submit the form.
	echo "Error: you need to use a link that sends a title!";
	exit;
}

$title = $_GET['title'];
$media = $_GET['media'];

echo "<blockquote><h3>Feedback for \"$title\"</h3>";
echo "<form method='post' name='feedbackform' action='feedback-email.php'>";
echo "<label for='name'>Your name (optional)</label><br><input type='text' name='name'>";
echo "<p><label for='email'>Your email address (optional)</label><br><input type='text' name='email'></p>";
echo "<p><label for='message'>Tell me what you thought about \"$title\", or anything else.</label><br><textarea name='message' rows='10' cols='60'></textarea></p>";
echo "<input type='hidden' name='title' value='$title'>";
echo "<input type='hidden' name='media' value='$media'>";
echo "<input type='submit' name='submit' value='send'></form></blockquote>";

?>

This php script receives the title and media as if it was sent using the GET action from an HTML form. This script then builds an HTML form which it echoes to the commenter.

That form looks like this:

It has optional fields for name and email, and a required field for the message. It also has 2 hidden fields in order to pass on the title and media of the object being commented on. If the link is for the book "Selena City", then here is the code that the PHP script sends to the user's computer as if it was a real webpage:

<blockquote><h3>Feedback for "Selena City"</h3>
<form method='post' name='feedbackform' action='feedback-email.php'>
<label for='name'>Your name (optional)</label><br><input type='text' name='name'>"
<p><label for='email'>Your email address (optional)</label><br><input type='text' name='email'></p>
<p><label for='message'>Tell me what you thought about "Selena City", or anything else.</label><br>
<textarea name='message' rows='10' cols='60'></textarea></p>
<input type='hidden' name='title' value='Selena City'>
<input type='hidden' name='media' value='novel'>";
<input type='submit' name='submit' value='send'></form></blockquote>
When the person clicks on the "send" button, the info they've given is POSTed to the second php script, "feedback-email.php".

feedback-email.php

<?php
if(!isset($_POST['submit']))
{
	//This page should not be accessed directly. Need to submit the form.
	echo "error; you need to submit the form!";
	exit;
}

$name = $_POST['name'];
$visitor_email = $_POST['email'];
$message = $_POST['message'];
$title = $_POST['title'];
$media = $_POST['media'];

//Validate first
if(empty($message)) 
{
    echo "Huh? No message!";
    exit;
}

$to = 'foo@example.com';//<== update the email address
$email_from = 'foo@example.com';//<== update the email address
$headers = "From: $email_from \r\n";
$email_subject = "Feedback";
$email_body = "Feedback on $media '$title' \n" .
    " from: $name \n".
    " at: $visitor_email \n\n".
    "$message\n\n".
	"-------------\n";

//Send the email!
mail($to,$email_subject,$email_body,$headers);

//done. redirect to thank-you page.
header('Location: feedback-thank-you.html');
   
?> 
After a quick check that it was sent by a submit button, its 5 items of data are stored into variables: $name, $visitor_email, $message, $title, and $media. There is a check to make sure it contains a message — if none, it exits — otherwise it builds an email to (me), from (me), subject ("Feedback"), and email body ($media, $title, $name, $visitor_email, $message). Then sends it to me. Finally it redirects to the thank-you.html page.

feedback-thank-you.html

This can be anything. I chose to make a simple, colorful thankyou page. I should really add a way for it to return to the page containing the original comment link. feedback-thank-you.html page.

security

I hardcoded all the email headers (to, from, subject) to make it impossible for spammer creeps from injecting fake headers into the email. The user-provided data is only going into the message body which I think is safe from malevolent code. Also, it seems the current version of php (v7.4) is safe from email injection anyway.

So, that's it. Feel free to use the above code.