[thealchemistdev]

No form validation, either.

It's good that it doesn't actually send sensitive data. The request zeros out the credit card and CVC code before the POST.

Otherwise, this kid would have opened himself up to a world of hurt.