I've built a shopping cart and shipping calculator on my client site that gets rates and sales tax based on the zip code the user enters while checking out (before the authorize.net secure payment page). When the user finalizes entering his zip code, selecting a shipping service, then he is allowed to checkout (go to authorize.net payment page). I'm using the SIM method and the problem I've discovered is, if the user decides to enter a different shipping address and zip code on the authorize.net payment page then what he originally entered on my clients site to calculate the shipping and tax rates, then there could be a big shipping cost and tax difference between what the user is paying and what it actually costs. How do I go about combatting this? Is there a way to lock in the zip code entered on my clients site, on the authorize.net payment page, and disable the HTML text field? How would I do this? This is a big security hole.