I have a page that outputs the parameters of a form, and I copied the form code, and redirected it to my test page. Here are the parameters that get passed back to the server when the user hits submit:

paramName = comment
value = Allocate my contribution to provide relief for victims of Hurricane Katrina

paramName = emailcustomer
value = TRUE

paramName = expdate
value = 0206

paramName = state
value = AL

paramName = phone
value = 3333333

paramName = amount
value =

paramName = state_us
value = AL

paramName = lastname
value = eryt

paramName = Submit
value = Submit

paramName = amountselect
value = 50

paramName = POnum
value = Giving

paramName = recurringbilling
value = FALSE

paramName = cardnum
value = ************

paramName = cardtype
value = Visa

paramName = yy
value = 06

paramName = email
value = rsr@gmg.com

paramName = country
value = 8

paramName = description
value = Donation

paramName = contribution
value = m

paramName = city
value = eyt

paramName = mm
value = 02

paramName = address2
value = ert

paramName = firstname
value = eryth

paramName = address1
value = ert

paramName = zip
value = eryt

paramName = state_intl
value = eryt

I have also looked more closely at the code - and, sorry, but you are right.

You CAN differentiate between the destinations for your donation, becuase that information is passed to the server with the text in the textarea called comment. But no programmer would use the text in a textarea to look for that kind of information, because it is unreliable. A user could edit the text before sending the form (as you said).

Much more logical, and more normal, is to use the value of a radio button, and here the form is very inconsistent. Hitting ' to help promote Maharaji's message' sends the same value to the server as 'to relief for victims of Hurricane Katrina'. (m)

I have to agree now, very dodgy code, and I'm sorry to have made my earlier posting without a more thorough look at the code.

If it wasn't for that text area, I think the code might be sufficient evidence of intent to defraud. However, because you CAN distinguish between the destinations for the donations, I doubt there would be a legal case, without getting hold a copy of what is on the server.

Sorry - when I saw that the comment var was being passed to the server, I figured that you could distinguish between where the money was supposed to go, and so my first post.

(I pasted the html directly into my first submission because I am more used to posting to a coding forum, where html is escaped - I forgat the html would be parsed in the message)