3

I'm currently using PHPMailer to send out an email to a mailing list, however I am looking to create an unsubscribe function because I cannot in good conscience not give the option.

The only problem I'm facing is doing it in a safe manner. What I've had in mind so far was to add an href back to my website that would link to a page like http://example.com/unsubscribe.php?email=useremail@test.com but with this method anyone can delete any email they want, or delete the entire mailing list. I'm not sure how I can bypass this issue. My MySQL database only contains a unique email ID which is just their position in the database (the first email added has an ID of 1 and the second has an ID of 2 and so on) and column for the email address itself.

davejagoda
  • 2,420
  • 1
  • 20
  • 27
Marcelo
  • 157
  • 9
  • generate a unique one-time token (time elapsed based also), and using that token targeting the user's email in the query/column. There is plenty of solutions out there. – Funk Forty Niner Nov 19 '15 at 17:55
  • this Q&A for instance http://stackoverflow.com/questions/17142935/how-to-generate-unsubscribe-link-for-newsletter might even be a duplicate for this question and http://stackoverflow.com/questions/3387229/how-to-generate-link-for-unsubscribing-from-email and http://stackoverflow.com/questions/1240915/how-to-add-one-click-unsubscribe-functionality-to-email-newletters – Funk Forty Niner Nov 19 '15 at 18:01
  • Personally, I kind of like this answer http://stackoverflow.com/a/17143081/ where you could ask the user upon clicking the link, their secret key which you really should add to your table. – Funk Forty Niner Nov 19 '15 at 18:08
  • Create another column in your table and generate a unique token for each email. Then you can attach this token to unsubscribe URL along with email. – Rehmat Nov 19 '15 at 18:25
  • For those who happen to stumble upon this question, an FYI: It's not just a matter of conscience - it's required by the FTC: https://www.ftc.gov/tips-advice/business-center/guidance/can-spam-act-compliance-guide-business – Halogen Jun 04 '16 at 07:14

1 Answers1

4

I would do something like this

http://example.com/unsubscribe.php?email=useremail@test.com&token=XXXXXXXXXXXXXXX

$_GET["token"] = hash_hmac('sha256', $email.$email_id, $site_salt);

if token valid then process subscribe.

P.S. I'm not sure why you got a downvote by my guess is because you didn't realize you were legally required to provide an unsubscribe.

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
hendr1x
  • 1,470
  • 1
  • 14
  • 23
  • This is really useful, thanks! I do have an unsubscribe function, but it's kind of clunky (it is just a mailto with the subject unsubscribe). – Marcelo Nov 19 '15 at 23:05