Default values for hidden profile fields

We’re using an obfuscated free sign-up page for our site, but we have people registering in cohorts, and we’d like to distinguish them. Is it possible to pass values for hidden profile fields (which we already have, and use when importing users) via URL parameters? i.e., we’d like to send the following link to our first cohort:

http://www.site.com/230482031?cohort=1

and then this link to the second group:

http://www.site.com/230482031?cohort=2

and have that parameter stored in their profile – this is important for Mailchimp integration, so we can segment the resulting list for emails later on. I don’t think default field values will work, as they need to be per group, not even per form. Another solution might be to have a different signup form for future groups, but (a) that will create a mess of WP pages with random names, and (b) I’m not even sure we could customise profile fields with the form shortcode anyway. The parameter approach seems much simpler… But is it possible?

Thanks,

David.

Thank you for your inquiry.

This video should give you what you need.

Video » s2Member (Custom Fields Dynamically?)

Thanks – I think I’ve got what I need working now. I’ve got a function which already checks various profile fields for default values hooked against the ws_plugin__s2member_during_configure_user_registration_front_side action. I’ve added the following at the beginning of that function:

foreach ($_GET as $k => $v) {
	$cFields[$k] = $v;
}

The array $cFields[] is then merged back into the users profile with a call to array_merge() and update_user_option().

So now I can put any combination of profile fields in the URL as parameters. However, this looks like a recipe for injection attacks! I’m wondering what the best way to defend this might be…

Is there a way of getting an array of the current valid profile fields, so I can restrict processing to only those fields? Is there anything else I should be doing to minimise the risk of people putting random code into the URL?

So now I can put any combination of profile fields in the URL as parameters. However, this looks like a recipe for injection attacks! I’m wondering what the best way to defend this might be…

The best thing to do here would be to only allow the specific field you’re looking to have available for Users to change to be changed via your script. You’ll want to only check for that specific $_GET variable and only array_merge() in that value.