I'm selling graphix over the web via Paypal credit-card processing.
One thing I've noticed is when it comes time to pay, the php page with sessions has the Paypal button with hidden fields on it. The problem is, anyone could just look at the source code, copy and paste the "thank you" address into the browser, and by-pass the credit-card processing altogether.
I know about includes...but so would they.
What do you suggest?