We use Mkt_tok URL parameter that is added by Marketo to links in emails. this parameter contains an encrypted unique identifier of the email addressee. Therefore, when the person clicks the email the LP get that information and identifies the person and retrieves the data from the database. This overrides the munchkin cookie that might exist on the browser.
I asked you that because I previsoly sunimted a form with someone else email, then sent a samle email to myself and when I clicked in the link, it had the mkt_tok but the prepopulated email wasn't the one related to the email but the last submited form. I think it might be a problmen with the email since it was just a sample not a real one...
Last question (I hope), does the mkt_tok parameter come in the URL always?
I need to update every single email so all our Unsubscribe links come with that parameter, but on the Email Templates is hard to know since it is html code.
As long as the link doesn't have class="mktNoTok" or class="mktNoTrack" -- and, if emitted from a Velocity script, that it is a full-formed <a> tag -- it's be mkt_tok-enized.
Note you can't actually prevent people from posting the form using arbitrary data, as I mentioned above. Protection you add via JS isn't really protection at all -- except from people who are technically malicious, yet completely technically unskilled. Not a very large cohort.
This is not to say it won't help higher-ups feel better, just like JS-based field validation, but it doesn't quite rise to the level of "security."