Skip to content

MailChimp, Secure Forms, and owning mistakes

mc_freddie_color_webDear Reader,


Screen Shot 2016-03-30 at 9.25.34 AM

So yesterday (March 29th, 2016) I started a small crap-storm on twitter directed at one of my favorite SaaS vendors, MailChimp. I didn’t mean to, I really do like MailChimp. I’ve been using them since ~2009 and find their service to be awesome. However, As you can see from my tweet, I couldn’t figure out how to make the signup form for Nomad PHP secure.

At first, do no harm

The problem arose when the person running @mailchimp answered and informed me that even though the URL wasn’t secure, the information was securely transmitted the server. I would show a picture of that tweet as well but @mailchimp has removed it. The information passed was of course, wrong.  If the URL is not secure, the information being sent is being transmitted across the wire in clear text. If at this point, you are not sure what the difference between HTTP:// and HTTPS:// is, read “How does HTTPS provide security?”.

The problem is, not only did I know it was wrong, those people who follow me and @mailchimp also knew it was wrong. What followed was a dogpile on @mailchimp, which was not my intent, but then again, I didn’t ask them to give false info either. Honestly, I just wanted to know how to get an encrypted URL to the form for people to join the list.

The answer

Later in the day – I’m not sure if no technical people noticed, or if they just wanted to let things die down – @mailchimp did eventually give me the answer I needed. To their credit, they owned the mistake that was made earlier in the day as well.  If you don’t use MailChimp to manage your mailing lists, this section won’t be of much interest to you.

First, I am talking about a specific type of form, MailChimp’s “General Forms”. These are the forms that are hosted on MailChimp’s servers and they just give us a URL to pass out.

To get there, log into your account and select a list.


From there select “Signup Forms” to get to this screen.


And from there, select “General Forms”. You’ll get a screen that among other things shows you the “Signup form URL”. This is what all the fuss is about.



Notice, it’s not secure. When they finally did answer, @mailchimp told me to replace the domain with “” and then I could use https://.

Screen Shot 2016-03-30 at 9.54.29 AM

So I took them at their word, using the info from the screen above, I tried:

This did not. I simply replaced with and added the s to https://. The instructions were as clear as they could make them in 140 chrs, which is to say, they left out a step. is MailChimp’s URL shortener. It will not – and apparently never will – handle encrypted URLs. However, Nomad PHP’s eepurl resolves to and that page is encrypted. A sad note, not all of the elements on the page are encrypted, so even thouhg the data being sent back to the server is encrypted, the page won’t get a “Green Lock”. MailChimp, can we do something about this?


If you use Mailchimp and want to pass around a secure URL so that people can join your mailing list, take the eepurl, paste it into a browser and let the page load, then take that URL and add https:// . Since in Nomad PHP’s case, the form is actually hosted at, I didn’t need to make any changes. It is my understanding that this is not always the case. So make sure that if your forms doesn’t resolve to list-manage, that you change the domain as well.



Ok, back to the crap storm. MailChimp did not shy away from their mistake, unlike a lot of companies I deal with, they owned it.

Screen Shot 2016-03-30 at 10.07.34 AM

They could have “Clarified” the response, they could have ignored it totally and just kept going. MailChimp did the right thing. While I am bummed that I didn’t get a screenshot of the offending tweet, I actually do appreciate the fact that they deleted it instead of just leaving bad info out there for unsuspecting muggles to run across.

I deal with MailChimp not because they are flawless in their execution – far from it, they pissed me and a bunch of others off recently with their changes to Mandrill – but because when they are wrong, they own it. I respect that, I aspire to that.

I aspire to treat my customers with the same candor. With Nomad PHP, Day Camp 4 Developers, and all my other endeavors, I try to be honest with my customers and own my mistakes.Whether this takes the form of a public apology or a refund to someone who wasn’t 100% satisfied that I delivered what I promised, I would rather take the hit financially or ego-wise than have someone think I wronged them.

Thank you MailChimp for leading the way.

Until next time,
I <3 |<

Mailchimp API v3 and Address fields

Freddie_OGDear Reader,

I love MailChimp. I mean I seriously love it. I’m not a big fan of SaaS vendors. I think that most of them are just obvious ideas that someone found a way to shove behind a paywall. But I love MailChimp.

One of the reasons I love it is that it seems to have been built for developers. Everything about it seems to be geared towards developers. This includes their API. I’ve been using v2 of their API in scrips for a few years now and it was just so easy to work with. Their PHP wrapper for it was one of the easiest to use API wrappers I’ve used.

Enter API V3

Recently, (March is recently, right?) they announced v3 of their API. It was “RESTful”. What used to be an absolute breeze to use in v2 has now become a laborious chore to use. It doesn’t help that they don’t bother to release sample code in PHP, if you aren’t a Python or Ruby developer, you have to figure it out on your own.

So that is what I did. I sat down with Guzzle and beat it into submission. While you can still do everything you could do before, to blindly adhere to the principals of REST, they have made retrieving something as simple as all of the information about a single email address 3-4 calls. Complexity for the sake of “doing it right”. (Because there is no way this is actually easier to use, but REST purists will love it.)

Address the issue

One area of change was how the merge fields work. Now this isn’t actually harder than v2, because this was the weak point in v2. However, using their ADDRESS type merge field, I found something very interesting.

The MailChimp Address field is actually made up of 6 different properties.

  • Address Line 1 (addr1)
  • Address Line 2 (addr2)
  • City (city)
  • State (state)
  • Zip Code (zipcode)
  • Country (country)

It’s not terribly difficult to work with from the API…unless. I found an interesting anomaly in the API. Your address lines cannot contain 2 consecutive spaces. Dang near drove me up the wall because it doesn’t tell you that this is a problem, or even which line in the address field has a problem. The error message that comes back simply tells you to enter a valid address.


Ok, if you are using the MailChimp API v3 and you are using PHP, Guzzle is your friend. Also, make sure you strip out any double spaces. Here is how I did it.

$addr1 = filter_var($payload["addr1"],FILTER_SANITIZE_STRING);
$mcRecord->merge_fields->ADDRESS->addr1 = strtr($addr1,['  '=>' ']);

Personally, I believe that this behavior is an artifact of how Mailchimp’s importer works. If you read the docs, they use double spaces to split apart the pieces of an address. Since I was assigning a string with double spaces to a single field. I think the API was choking on that and that is why it spit it back out at me. Of course a helpful error message or even a blog post mentioning this rule would have saved me some frustration.

Still, Mailchimp beats everything else, hands down. Still a fan, even if a bit frustrated.

UPDATE: See the comment below, Pete addresses the issues. (Thank you Pete!) :)

Until next time,

Using 3rd party libraries in Composer projects

Dear Reader,

Recently, I discussed a lesson I learned about “Managing the Verbosity of symfony’s Command Object With a Trait” while building a project. This particular project has been very instructional to me so I thought I would share something else I learned.

As discussed in the previous post, this is a command line script to move email addresses from eventbrite events into MailChimp lists. I wrote it specifically for use with my NomadPHP project but the way it now works, it operates on all my projects at once.

A problem I ran into when starting this project is that the official MailChimp API wrapper for PHP is NOT a Composer package. Thankfully, the wizards behind Composer have thought this through. To facilitate using non-Composer packages in composer projects, all I had to do is add one line to my “autoload” section of my project:

    "autoload": {
        "psr-0": {
	   "NomadPHP": "app/"},
 	   "classmap": [ "src/"]				  

The classmap section allows me to drop any class file into the directory src/ and then run composer.phar update. Composer will look at the files in that directory and add them to vendor/composer/autoload_classmap.php. Mine now looks like this:


// autoload_classmap.php generated by Composer

$vendorDir = dirname(dirname(__FILE__));
$baseDir = dirname($vendorDir);

return array(
    'Eventbrite' => $baseDir . '/src/Eventbrite.php',
    'MCAPI' => $baseDir . '/src/MCAPI.class.php',

Problem solved. As you can see I also used this to be able to use the eventbrite API wrapper as well.

If you are not using Composer for your projects, you really need to start. It’s a great way to speed your PHP development.

Until next time,
I <3 |<


New github repo, mailchimpScripts

Dear Reader,

I do a lot of work with mailchimp. Like any good developer, when I have access to an API, I start automating things instead of doing them manually each time. Also, like any good developer, once I write something, I want to share it with others so they can use it.

To scratch both of those itches, I have created a new repo on github, mailchimpScripts. Currently, there is only one script in the repo, listSegmentMaker.php.

This is a cli script and little more than a bash script written in PHP. It’s not pretty, it’s not OO, it’s useful to me though. If you work in mailchimp, you may find it useful. However, if you don’t know how to run php cli scripts, it probably won’t be useful to you at all. That’s ok, it’s still useful to me.

Patches are always welcome,

Until next time,
I <3 |<

Day Camp 4 Developers: Soft Skills wrapup

Dear Reader,

Well, it’s done. Our first ever Day Camp 4 Developers was yesterday and was by most accounts, a rousing success. Some of the comments over at Joind.In are just wonderful. I won’t rehash all the great times and comments but I do want to list a few things I learned, even if only for myself.