Shock this morning.

Most web-shopping carts use hidden "form" fields to carry data around. And of course, these go via the client. So Richard van den Berg's HTML Bar utility allows you to change POST data hidden form fields.

A major league shopping cart system uses this to carry the total value of the cart around. So its simple to choose a dozen diamonds, for instance, and then choose the price you wish to pay.

Amazing. Real eye-opener.

There's a message here. Stop pi**ing around with POST form-data fields, and get yourself into web services. The connection between your server and the credit card system no longer has to go via the (completely insecure) client.