Good implementation but a bad ideea IMHO. Usually, them users have the nasty behaviour of using the same username/password combination everywhere so you can imagine what problems will arise because:
1. The password will be 'stored' in the server logs.
2. If they are going throug a proxy it will be stored there too.
(these are the reasons for not passing session ids through the url either)
If you really need this, you should add a warning to the mail too:
Warning: logging in using this link will expose your username and password to third parties.
If you have a problem with that, do not use that link. Instead, go to the <a href="{$config['phpurl']}/login.php">login</a> page and enter the username and password there.
