payment_result.php shows the status of the customer's transaction, including their name and email address.
It remains in browser history and if it's revisited we get another email notifying us of the purchase, even days later after the order's been fulfilled and shipped.
Not to mention, if it goes across proxies and through the ISP's logging servers it can leak our customers' PII to other clients.
How should this be handled?
Upon successful completion of post method form processing code, you need to preform a redirect to the exact same URL of the current page to cause a get request for that page. This will prevent the browser from resubmitting the form data should that page get browsed back to or reloaded. See this link - https://en.wikipedia.org/wiki/Post/Redirect/Get
Ah! Will give that a try. I've used it on search for years, but have never experienced this with a purchase page.
Granted, at the last PHP job most of the purchases were made by the phone. ;-)
PRG is much more important when you're doing e-commerce. There are several JS libraries for toast messages that can help with this as well - you can still give your user valuable feedback while wiping the $_POST variables. I've used toastr.js in past, but I'm sure there are good non-jQuery dependent solutions as well.
