Not email PHPSESSID

Question

After my customers place an order, I send an email confirmation using the following code, but I want to prevent PHPSESSID from being included in this email:

$body = "";
  foreach ($_REQUEST as $Field=>$Value) { 
    if($Value != ''){
     $body .= "$Field: $Value\n\n";
     }
  }

At the top of the PHP file, I have the following regarding SESSION id

<?php session_start(); ?>
<?php if (!isset($_SESSION['id'])) : ?>

Somehow, this must create a PHPSESSID field with a value that is getting picked up by my $body code.

The email output generated looks like the following:

_fname: Mark
_lname: Smith
_Address_1: South St
_Phone: 123-456-7890
_email: my@email.com
_Date_Needed: 4/19/17
B1: Submit
PHPSESSID: (some string of characters)

Interestingly, the B1 Submit and the PHPSESSID are not variables that I am using, but the code is finding those values and returning them. The B1 Submit is an irritation, but I think the PHPSESSID is a possible security risk.

I am using $_REQUEST to get form data from the user as follows:

$_fname=$_REQUEST['_fname'];
$_lname=$_REQUEST['_lname'];
$_Address_1=$_REQUEST['_Address_1'];

Maybe I should change that from $_REQUEST to $_GET and then use $_GET in the email creation as well?

which PHPSESSID is that? there's no code to support the question. — Funk Forty Niner, Apr 18 '17 at 21:09
@nogad - thank you. But what shall I use in place of, please? — Bricked, Apr 18 '17 at 21:19
if you don't want session id's, destroy it before sending email or unset the said session(s) - my original comment still stands — Funk Forty Niner, Apr 18 '17 at 21:20
*"The B1 Submit is an irritation"* - that's because it's part of the `foreach`; unset it. — Funk Forty Niner, Apr 18 '17 at 21:22
@Fred-ii - Hi Fred, maybe I did not understand your original comment. I updated my question based on your comment by adding more content to show the code where I open Session. I don't know how PHPSESSID is appearing. Destroying Session sounds like a good idea. Is there a benefit to also using $_GET instead of $_REQUEST? — Bricked, Apr 18 '17 at 21:22
keep the `foreach` but unset the button; seems like the solution here, if that's all you want to do; avoid the button being part of the email. No need to overcomplicate things really. — Funk Forty Niner, Apr 18 '17 at 21:30
actually I have a better idea and I can post an example in answers if you want. It'd be too long in comments. — Funk Forty Niner, Apr 18 '17 at 21:42
I posted something below you can look at. If it does not solve it, let me know and I will delete it. — Funk Forty Niner, Apr 18 '17 at 21:57

score 1 · Answer 1 · answered Apr 18 '17 at 21:22

1

The issue likely lies with using $_REQUEST instead of $_POST or $_GET depending on your form/header behaviors. That said I would guess that since you are using $_REQUEST you are not doing any sanitation of the data being sent. This can result in your mailing system being hijacked by spammers resulting in getting added to anti spam blacklists. You likely will want to read up on properly securing mailing systems or utilize a 3rd party library that covers those issues for you.

The session ID is either being generated or regenerated/resumed by session_start();

answered Apr 18 '17 at 21:22

Patrick Kelly

297
2
9

thank you for those comments - Regarding "sanitizing" I am validating user entry to strip out line breaks and commas. I am also validating proper formatting of email/phone entry and making sure that all data entry fields are numeric data entry. Is this sufficient "sanitation" per your concerns of anti spammer? – Bricked Apr 18 '17 at 21:28
Patrick - please see my updated question. I use $_REQUEST to get the form data. Maybe that is part of the problem. – Bricked Apr 18 '17 at 21:36
The session ID is not included in get or post it is part of the cookie data. Request is a composite of all header parameters not just those used in forms and so it gets included. – Patrick Kelly Apr 18 '17 at 21:45
As for the sanitation you need to ensure there is no way to inject extra headers or message boundaries into the mail content as this can result in the form being hijacked. – Patrick Kelly Apr 18 '17 at 21:55

score 1 · Accepted Answer · answered Apr 18 '17 at 21:31

1

If your form is getting POST data, then merely change it to:

foreach ($_POST as $Field=>$Value) { 
    if($Value != ''){
        $body .= "$Field: $Value\n\n";
     }
}

If it's using GET data, change it to $_GET instead of $_POST

answered Apr 18 '17 at 21:31

Curtis G

26
5

Thank you all for your suggestions. So far using $_POST solved the problem. I tried $_GET, but although that solved the problem it also killed all output. I also tried session_destroy(), but that had little impact. $_POST was the solution. Thank you – Bricked Apr 19 '17 at 12:46

score -1 · Answer 3 · answered Apr 18 '17 at 21:56

Your submit sounds like it's an input with a value.

You can use a button with a submit type with no value.

Here's an example, where the button won't show up in the output:

Side notes: I used a POST method here. If this does not solve the question, I will simply delete it.

<?php 

$body = "";
  foreach ($_REQUEST as $Field=>$Value) { 
    if($Value != ''){

     $body .= "$Field: $Value\n\n";

     // ...

     }
  }

?>

<form method="post">

    abc1: 
    <input name="abc1" value="abc1a" type="text">
    <br>

    abc2: 
    <input name="abc2" value="abc2a" type="text">
    <br>

    abc3: 
    <input name="abc3" value="abc3a" type="text">
    <br>

    abc4: 
    <button name="abc4" type="submit">SUBMIT</button>

</form>

Not email PHPSESSID

3 Answers3