EOT Email notification (temporary solution)

Hello – as i understand the email notification of EOT is under development correct ?
I mean that when the subsription time will expire user shoud be notified of this fact by email containing information on how he coud renew it.
I’ve made my own temporary sollution that i’d like to share with you. I wanted to consult with someone experienced if script i’ve made wont cause any security/general issues.

Basicly idea was to put this somewhere on my FTP server :

<?php
if(isset($_GET['email'])) {
    $email_to = $_GET['email'];
    $email_subject = "Eot Notification";
    $first_name = $_GET['name']; 
    $email_from = "support@mywebsite.com"; 
    $email_message = "Hello ".$_GET['name']."\nYour subsribtion of XXX has expired. To refresh subscription : href \n\n";
// create email headers
$headers = 'From: '.$email_from."\r\n".
'Reply-To: '.$email_from."\r\n" .
'X-Mailer: PHP/' . phpversion();
@mail($email_to, $email_subject, $email_message, $headers); 
?>
<!-- include your own success html here -->
OK
<?php
}
?>

as eot.php file. Then in API Notifications -> EOT/Deletion Notification URLs i put the:
http://www.mywebsite.com/eot.php?name=%%user_full_name%%&email=%%user_email%%
And in theory user shoud recive an email when the EOT occurs.
Questions are :
1. Will this work without causing any security/general issues ?
2. How to avoid email landing in spam box.
3. Am i missing something important here ?

Not sure if its safe to impement so i wil really aprecieate any comments on this.

• This topic was modified 4 years, 3 months ago by  Patryk Wezowski.

1. Will this work without causing any security/general issues ?

Yes, that should work. The only security concerns you should worry about is someone discovering the eot.php script and then using it to send their own emails (e.g., using it to send lots of spam messages through your server).

The most basic way of preventing something like that would be to include in your URL a key (e.g. , &key=somethinglongandcryptic) and then checking if $_GET[‘key’] matches before sending the email. That way, if someone discovers the script, they will also need to know what your secret key is before they can use it to send emails.

2. How to avoid email landing in spam box.

There are lots of things that could cause messages to go to spam and I couldn’t possibly cover all of them here. I recommend researching on Google “how to pass spam filters with php mail”.

3. Am i missing something important here ?

It doesn’t look like it to me. I recommend testing the script by creating a test user and then setting their Automatic EOT time manually on their profile. You can set it to expire in one day and then wait for the email to see if it arrives. You could also add some logging routines to your eot.php script to save information about what’s happening to a local log.txt file so you can check that to see if anything came through.

Thanks for reply – i’ll just change if(isset($_GET[’email’])) { part to this key thingy you suggest.

Yes, that would work if you check $_GET[’email’] against all the users in your WordPress database. That way, the script can only be used to send emails to people who are registered on your site.