Support » Plugin: Email Before Download » Custom 'Sent From' Field

  • I was wanting to change the ‘sent from’ field that shows up in the downloader’s inbox to something other than the default “wordpress”, so I looked at the code and found this commented out:

    `<tr valign=”top”>
    <th scope=”row”><p>12. Email From</p></th>
    <td><p><input type=”test” size=”40″ name=”email_before_download_email_from” value=”<?php echo get_option(’email_before_download_email_from’); ?>” />
    <br />
    <font size=”-1″><i> If this field is left blank, the default wordpress email will be used. Use the following format:My Name <myname@mydomain.com>”.</i><br />
    </i><br /></font>
    </p>
    </td>
    </tr>`

    I enabled it and tested, and it seems to work great! I am very curious to know why it was commented out and are there any issues in enabling it?

    https://wordpress.org/plugins/email-before-download/

Viewing 3 replies - 1 through 3 (of 3 total)
  • Yeah I saw that code too. That makes that setting show up on the Email Before Download settings page. They have that commented out, as you pointed out. I noticed it a few weeks ago and found the code that goes with it that actually makes it work — the code that puts a hidden field in the HTML form & puts in the value that you put in the settings field. That code is NOT commented out. Meaning, it works whether or not you’ve uncommented the stuff in the settings page. In other words, you could simply put the hidden field in there yourself in the CF7 form. Or, your website visitor could put that field in there himself using any number of tools that let you modify the POSTed form data before it leaves your browser and end up setting the From: value for emails sent by EBD. I sent the plugin authors, M&S Consulting, an email message about this a few weeks ago but never heard about. It’s a bug in my opinion. Not a huge one — the security implications of it are fairly minor, but it should be fixed in my opinion.

    If I remember the code correctly, then what happens is that EBD will check and see if EBD has a From: value set in the database already (wordpress settings). If so, it uses that. If not, it checks to see if the end user has submitted a form that includes a variable (hidden variable) to set the From: and then it will use that if so. If not, it just uses whatever the default is for your system (usually some weird computer name if it’s a shared-hosting account).

    Many people are using SMTP plugins like Postman SMTP to set the From: value. For them, this shouldn’t be an issue. Others, are using the Custom Sender for Email Before Download plugin, which will set the From: value in the wp_settings (in the database), so for them this is not an issue either. However, for everyone that has never set a from: value in wp_settings, then they are exposed to someone from the outside submitting a form POST and setting that hidden variable which will then cause EBD to set the From: to that value from then on (I think .. I could be wrong, it’s been a few weeks since I looked at it, but I believe that is the case). Like I said, I notified M&S Consulting, but no response…

    Thread Starter bcm924

    (@bcm924)

    Thanks for the info – hopefully they’ll respond to your request. Meanwhile, I’m using the code since I need the From field to be from my company when someone requests a download and it goes to their email. I want them to know what they’re getting is from us.

    I think once it’s set then it will remain set (because it stores it in wp_settings). So you probably don’t need that code enabled any more, but it’s probably fine to leave it like that.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Custom 'Sent From' Field’ is closed to new replies.