using mail with ob_start

i have a report that run monthly automatically and send emails to each customers in the report for this i m using
$output = ob_get_clean();
   echo $output; 
   mail($email,"Hi:". $surname,"<html><body>$output</body></html>","MIME-Version: 1.0\r\nContent-type: text/html; charset=iso-8859-1\r\n"); 

Open in new window

and i m using this to include it in the body when he clicks he can see his report with chart
echo $url;  
my problem when each customer clicks in the links in the email he get all the customers that i dont want normally each customer get his report ..
that what i get in the email
      Unit Name :
Ballycumber Community Centre      Account Name :
Castlewarren GWS      Customer Name :
Report Date :
01-07-2012      Report Units :
Report Name :
Daily Totals Usage Report
Date      Ballycumber Community Centre Chl Res                        Total
01-07-2012      0.00                        850.00
01-07-2012      0.00                        100.00
Total      0                        950.00
Daily Average      0.00                        0.00

Who is Participating?
Olaf DoschkeConnect With a Mentor Software DeveloperCommented:
And what's the propblem with that? The login doesn't occur when the mails are generated, but when the customer clicks the link in his mail.

The script to generat ethe mails obviously is one of those, to which you don't apply the login check and redirect.

Bye, Olaf.
Olaf DoschkeSoftware DeveloperCommented:
Well, if you want a mail to contain a link getting data for this one customer only, include a parameter identifiying for which customer to get the report data. It shouldn't be too obvious as in http://yourdomain:8080/campion/css2/monthly.php?customer=name, because then he can also get data for other customers simply by changing the name.

So while composing the mail create a unique random value you add to the link and store it with the customer id. If the mail link is clicked you see what customer data to return.

This way your link would look like

monthly.php would then take the requestid value and lookup the customerid with it. Your customers will not be able to guess which other requestid will give them data for other customers.

The ideal thing to do, though, is add a login.

Check for a php session with any request no matter if coming from mail or from the web, if a customer logs in set a session variable with the customerid, if that is not yet set redirect each request to a login page and after login redirect to the original request uri.

That's applicable anywhere you want to know who is making any request to only return the data he's legitimate to see.

The pattern of redirect after login is described here:

Make that a general include in all your php scripts to all pages that need a logged in user to output a user specific page and no matter what url a user bookmarks, if that page needs login, it will redirect to the login, unless the session value set by login is already set.

Bye, Olaf.
asaidiAuthor Commented:
Hi Olaf
the problem that this script will run automatically every month sending emails to all customers in database (automatic report) filled by a user..
Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

asaidiAuthor Commented:
ok then
i understood means when the customer clicks on the link he must first logging to see the page
Olaf DoschkeSoftware DeveloperCommented:
Yes, but maybe I overlooked you use the same script for generating mails and embedded in the mail for looking at one customers report.

You need two different entry points. Eg mail.php and display.php, bith include monthyl.php with differing parameterisation. Then you can pout the login redirection code into display.php only and not into mail.php and monthly.php is just containing the code both scripts need to share.

Look into and

Bye, Olaf.
asaidiAuthor Commented:
I think i dont need logging system as the logging is done only for accounts and each account has one or more customers...the account can see all the customers but customer can see only himself
Olaf DoschkeSoftware DeveloperCommented:
logging is not login. Otherwise I see what you mean about the number of customer vs accounts.

Still you only want users of a certain customer to see that customers data. That does sill men the need to login or obfuscate the link so no user of no customer can guess the correct link to data of another customer.

Bye, Olaf.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.