Community Support Forums

Can I use the s2member conditionals in email to show different content based on custom capabilities?

s2Member does not do it, but you could most probably custom code it.

In what emails do you want to use the conditionals?

In the response email when a user registers I want to list the information they filled in on the form they registered with. There are different custom fields for different levels but only one email gets sent to all levels. I wanted to be able to say if the user has a certain level then show them what was entered for the custom fields that are shown for that level.

I see what you mean. That sounds nice, although it's not something that s2Member does currently. I'll show this to Jason for his conderation.

To edit the registration email, you can try this plugin https://wordpress.org/extend/plugins/ne ... il-set-up/

I know it supports some variables and HTML, but most probably not the level the member now has. You could try adding to that plugin the variables you want and then use them in the message.

If you need conditions in the email, try and see if the Exec PHP plugin will work in that plugin's edit box, but if it doesn't then that's something else you'll need to add. http://wordpress.org/extend/plugins/exec-php/

Another thing you could do is disable the email WP sends on new registrations and use s2Member's Notifications API to pass the data to your own custom script that formats it into the welcome email and sends it.

https://wordpress.org/extend/plugins/se ... mail&sort=

WP Admin -> s2member -> API / Notifications

sterup wrote:In the response email when a user registers I want to list the information they filled in on the form they registered with. There are different custom fields for different levels but only one email gets sent to all levels. I wanted to be able to say if the user has a certain level then show them what was entered for the custom fields that are shown for that level.

Thanks, that's a great suggestion.
I'll see what we can do about this in a future release.

Until then, I recommend using the API Notifications that Cristián suggested. This is s2Member's way of handing complete control over you to and possibly a developer working with you. It allows you to attach custom scripts that you write to events triggered within s2Member's processing routines. It is certainly possible for a custom script to receive all of this information, filter it down the way you need it, and then process those details through email, perhaps to other 3rd party services even, or the like.

Yes that will work but there is a lot of custom coding and input verification involved and any time a new field is added I will have code to update instead of just adding the field to the response email. It would be nice to have this functionality in a future release. Until then I will have to write something custom to handle the emails.

The input verification would be done by s2Member, you'd receive the registration data after the account was created.

But if you send any data as a request var to a php script then that script must validate the input or else you open yourself up to injection attacks. As I understand it (and maybe I dont) the notifications are sent as request variables to a php script that does some action with them. Am I right? If so then the input must be validated to not contain SQL and XXS attacks or else I could be opening my users email addresses up to be attacked.
I think a better solution would be for me to hook into the wp_mail filter hook and add my own conditional tags that I can enter into the standard email. Then I can filter them out and transform the email the way I want it. At least for now until it gets built into s2members.

Yes, what you said is correct. You have to add some security to your script. You could follow the tip Jason gives in the video. You can add more validation, of course, but it shouldn't be that hard.

You could check who's calling the script and discard any call from an invalid referrer or IP.

One could probably check if the account is actually new and if not, then this script is probably called for another reason by someone else.

Those validations would work regardless of the number of fields you change in the future.

To abuse your script it'd have to be known where it is although it won't be public, but someone spying on you could know about it. The script could be accessed via SSL only, if you have a certificate for that.

Jason, could you confirm if what I said is right?

The wp_mail() Filter is a possibility.

Regarding security for API Notification URLs.

I would recommend that any/all Notification URLs include a secret authentication key that is unique to your custom script that receives data from s2Member. So your API Notification URL might look like this:

Code: Select all

http://example.com/?my_key=8234sdfsl293423dldf9234783345&subscr_id=%%subscr_id%%

In your script, you just do this to authenticate the API Notification.

Code: Select all

<?php
if($_GET["my_key"] === "8234sdfsl293423dldf9234783345"){
    // Handle other variables now.
}
?>