No idea if it is theoretically possible but the sheer varety of email systems available means that it isn't feasible. Put the form on a page and include a link.

Thanks for replying Piatkow. That seems like a very sensible way of looking at it.

Can I make the form only available to people to have received the email?

The aim is to make the experience look and feel personal, rather than a big, open, public experience.

you probably could do it. if you use GET it would only ever send a URL anyway, which is just a text string.

you'd just have to make sure that the URL on the form was an absolute one.

and you'd have to thoroughly check and santise any data that you receive from it. because there would be nothing to stop anyone rewriting the form's HTML before they press submit. you could literally receive anything.

Ah! Didn't think of that Londrum (people re-writing the HTML)

So I guess the most secure way is to do what Piatkow says and point my email recipients at a HTML page hosted by me?

However, I think I have to go and read about GET/POST to understand your first line. I know its the two main ways but I barely know what POST means (it puts the data into the db, right?)

neither GET or POST will put the data into a database by themselves. they are just different ways of sending the same stuff over.

it is what you do with the data when you receive it that puts it into the database.

you'd still have to properly check the data even if the form was hosted on your own site, because there's nothing to stop people rewriting the form there either. (they'd just have to download the HTML, change it, and make sure the URL sent it straight back to yours. it's surprisingly easy to do)

if you don't check the data, both ways are as insecure as each other.

Oh!

Looks like I'd better turn this bloody laptop off, stop playing Scrabble on Facebook and actually read this "PHP & My SQL for DUMMIES" book that's cluttering up my desk.

Thanks Londrum.

I've never tried it, but if you can use <iframe> in an html email, that would be the simplest solution (by simply using a standard form).

However, since people do not expect forms in their email, I doubt that any method used to achieve this is a good idea.

Kaled.

I've played around with this a bit.

Email clients are not browsers; they don't post forms like browsers do. If you send a properly formatted html email, the form indeed appears in the email but when you try to submit it just goes to the URL in the action of the form, like a link. It doesn't bring any of the form fields with it.

It *might* work in web-based mail services, but those are likely to squelch forms for security reasons.

Recent discussion [webmasterworld.com]

rocknbil - thanks for that redirect. The other thread is well worth reading.

Kaled - <iframe> sounds interesting too. There's anotehr thing I'll have to go and look up.

the iframe still won't work unless you have a web enabled email client or web email.
you should design your email to work as plain text.