Welcome to WebmasterWorld Guest from 22.214.171.124
Forum Moderators: phranque
I can't find much about this and it does strike me that I never really get forms showing up in my inbox. So is it
1. Something people don't do because it's difficult?
2. Something people don't do because it's impossible?
3. Something people don't do because it's a stupid idea?
you'd just have to make sure that the URL on the form was an absolute one.
and you'd have to thoroughly check and santise any data that you receive from it. because there would be nothing to stop anyone rewriting the form's HTML before they press submit. you could literally receive anything.
So I guess the most secure way is to do what Piatkow says and point my email recipients at a HTML page hosted by me?
However, I think I have to go and read about GET/POST to understand your first line. I know its the two main ways but I barely know what POST means (it puts the data into the db, right?)
it is what you do with the data when you receive it that puts it into the database.
you'd still have to properly check the data even if the form was hosted on your own site, because there's nothing to stop people rewriting the form there either. (they'd just have to download the HTML, change it, and make sure the URL sent it straight back to yours. it's surprisingly easy to do)
if you don't check the data, both ways are as insecure as each other.
Email clients are not browsers; they don't post forms like browsers do. If you send a properly formatted html email, the form indeed appears in the email but when you try to submit it just goes to the URL in the action of the form, like a link. It doesn't bring any of the form fields with it.
It *might* work in web-based mail services, but those are likely to squelch forms for security reasons.
Recent discussion [webmasterworld.com]