Torben,
Re:3b
As I understand it, forms created using the forms API by default have their variables passed as form vars rather than url encoded so url surgery is not an issue. The validation and verification services usually provided by ad_page_contract are also taken care of by the forms API.
It should basically take the sweat out of it and reduce the risks, but you're right to want to test everything thoroughly.
Sorry for getting things muddled. I understood that template::form was the recommended way to access the API (either with or without the 'template::' prefix). I had mis-understood the ad_form/ template::form relationship.
I think that template::form code can be laid out to be really easy to read and understand and may therefore have the edge for maintainability. I certainly found it easier to get my head around initially. I'll have a play with the ad_form method though if I understand Dave correctly it can in certain situations be more limiting.
Thanks for the steer Dave.
R.
