After my customers place an order, I send an email confirmation using the following code, but I want to prevent PHPSESSID from being included in this email:
$body = "";
foreach ($_REQUEST as $Field=>$Value) {
if($Value != ''){
$body .= "$Field: $Value\n\n";
}
}
At the top of the PHP file, I have the following regarding SESSION id
<?php session_start(); ?>
<?php if (!isset($_SESSION['id'])) : ?>
Somehow, this must create a PHPSESSID field with a value that is getting picked up by my $body code.
The email output generated looks like the following:
_fname: Mark
_lname: Smith
_Address_1: South St
_Phone: 123-456-7890
_email: [email protected]
_Date_Needed: 4/19/17
B1: Submit
PHPSESSID: (some string of characters)
Interestingly, the B1 Submit and the PHPSESSID are not variables that I am using, but the code is finding those values and returning them. The B1 Submit is an irritation, but I think the PHPSESSID is a possible security risk.
I am using $_REQUEST to get form data from the user as follows:
$_fname=$_REQUEST['_fname'];
$_lname=$_REQUEST['_lname'];
$_Address_1=$_REQUEST['_Address_1'];
Maybe I should change that from $_REQUEST to $_GET and then use $_GET in the email creation as well?
If your form is getting POST data, then merely change it to:
foreach ($_POST as $Field=>$Value) {
if($Value != ''){
$body .= "$Field: $Value\n\n";
}
}
If it's using GET data, change it to $_GET
instead of $_POST