forms/submit.php

<?php
// submit.php - Handles saving an answer and displaying the result

$answers_dir = __DIR__ . '/data/answers';
if (!is_dir($answers_dir)) {
    mkdir($answers_dir, 0755, true);
}

$is_post = ($_SERVER['REQUEST_METHOD'] === 'POST');
$form_id = $_REQUEST['form_id'] ?? $_GET['id'] ?? '';
$answer_id = $_REQUEST['answer_id'] ?? $_POST['edit_id'] ?? '';

$form_file = __DIR__ . '/data/forms/' . preg_replace('/[^a-zA-Z0-9_-]/', '', $form_id) . '.json';
if (empty($form_id) || !file_exists($form_file)) {
    die('<div style="font-family:sans-serif; text-align:center; padding:50px;"><h2>Form Not Found</h2></div>');
}

$form_data = json_decode(file_get_contents($form_file), true);
$questions_map = [];
foreach ($form_data['questions'] as $q) {
    $questions_map[$q['id']] = $q['label'];
}

$injected_js = '';

if ($is_post) {
    // Process form submission
    $respondent_name = trim($_POST['respondent_name'] ?? 'Anonymous');
    $respondent_email = trim($_POST['respondent_email'] ?? '');
    $answers = $_POST['answers'] ?? [];
    
    $is_edit = !empty($answer_id);
    if (!$is_edit) {
        $answer_id = uniqid('ans_');
    }
    
    $safe_answer_id = preg_replace('/[^a-zA-Z0-9_-]/', '', $answer_id);
    
    $answer_data = [
        'answer_id' => $safe_answer_id,
        'form_id' => $form_id,
        'respondent_name' => $respondent_name,
        'respondent_email' => $respondent_email,
        'submitted_at' => date('c'),
        'answers' => $answers
    ];
    
    file_put_contents("$answers_dir/{$form_id}_{$safe_answer_id}.json", json_encode($answer_data, JSON_PRETTY_PRINT));
    
    // No longer injecting JS to prevent double-submit.
    $injected_js = "";
    
    // Email notification if provided
    if (!empty($respondent_email) && filter_var($respondent_email, FILTER_VALIDATE_EMAIL)) {
        $subject = "Your submission for: " . $form_data['title'];
        $body = "Hi $respondent_name,\n\nThank you for your submission.\nHere is what you submitted:\n\n";
        
        foreach ($answers as $q_id => $val) {
            $label = $questions_map[$q_id] ?? 'Question';
            $val_str = is_array($val) ? implode(', ', $val) : $val;
            $body .= "$label:\n$val_str\n\n";
        }
        
        $host = $_SERVER['HTTP_HOST'];
        $headers = "From: no-reply@" . $host . "\r\n";
        @mail($respondent_email, $subject, $body, $headers);
    }
    
    // Redirect to self as GET to prevent duplicate POSTs on refresh
    header("Location: submit.php?id=" . urlencode($form_id) . "&answer_id=" . urlencode($safe_answer_id) . "&success=1");
    exit;
}

// Display Mode (GET)
$success = isset($_GET['success']);
$safe_answer_id = preg_replace('/[^a-zA-Z0-9_-]/', '', $answer_id);
$answer_file = "$answers_dir/{$form_id}_{$safe_answer_id}.json";

if (empty($safe_answer_id) || !file_exists($answer_file)) {
    die('<div style="font-family:sans-serif; text-align:center; padding:50px;"><h2>Submission Not Found</h2></div>');
}

$answer_data = json_decode(file_get_contents($answer_file), true);
?>
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Submission Complete</title>
    <link rel="stylesheet" href="assets/css/style.css">
    <script>
        <?= $injected_js ?> // Output any localstorage writes if we didn't redirect (e.g. if we chose to drop the header(Location))
        
        function clearAndAnswerNew() {
            // we don't need to clear submissions here anymore since we allow doubles
            window.location.href = 'answer.php?id=<?= htmlspecialchars($form_id) ?>';
        }
    </script>
</head>
<body>
    <header class="site-header">
        <div class="container header-inner">
            <div class="brand">
                <span class="brand-title"><?= htmlspecialchars($form_data['title']) ?></span>
            </div>
        </div>
    </header>

    <main class="container">
        <?php if ($success): ?>
            <div class="alert alert-success mt-3 mb-3">
                Your response has been successfully saved.
                <?php if (!empty($answer_data['respondent_email'])): ?>
                    <br><small>A copy of your responses was sent to <?= htmlspecialchars($answer_data['respondent_email']) ?>.</small>
                <?php endif; ?>
            </div>
        <?php endif; ?>

        <div class="panel">
            <h2 class="card-title">Submitted Answers</h2>
            <br>
            <table class="table-compact responsive-table">
                <tbody>
                    <tr>
                        <td data-label="Respondent"><strong><?= htmlspecialchars($answer_data['respondent_name']) ?></strong></td>
                    </tr>
                    <?php foreach ($answer_data['answers'] as $q_id => $val): ?>
                        <tr>
                            <td data-label="<?= htmlspecialchars($questions_map[$q_id] ?? 'Question') ?>">
                                <div><strong style="color:var(--brand-muted); font-size:0.85rem;"><?= htmlspecialchars($questions_map[$q_id] ?? 'Question') ?></strong></div>
                                <div><?= nl2br(htmlspecialchars(is_array($val) ? implode(', ', $val) : $val)) ?></div>
                            </td>
                        </tr>
                    <?php endforeach; ?>
                </tbody>
            </table>
        </div>

        <div class="panel text-center" style="background:transparent; border:none; box-shadow:none;">
            <a href="answer.php?id=<?= htmlspecialchars($form_id) ?>&edit=<?= htmlspecialchars($answer_data['answer_id']) ?>" class="btn mt-2">Edit Response</a>
            <button onclick="clearAndAnswerNew()" class="btn btn-secondary mt-2">Add another answer</button>
        </div>
    </main>
</body>
</html>