Hi in reply to the poster above, yes Easy Basket does store the password in index.php, as far as i know this not a security vulnerability, as an example Google Checkout tell you to store your Merchant ID and Key in a php file. Settings.php is the xml for your settings if you try to view this directly you are just redirected to the easy basket index page, i have tracked this with firebug and at no time is the xml sent to the client. If you can demonstrate how to bypass these measures, i will be very happy to update Easy Basket

Although this script is neat and shows how java script can be utilized, it has some major securities flaws. The password for the admin is contained within the index.php file. The google embedded references and paypal are in a file named: settings.php, which is in the root. This is a hacker's delight. For an e-comm script is this not good. Also hackers may be able may themselves from your Paypal account setup. I would use an mature e-comm open source script and leave this alone. Just think, the people from Hotscripts recommend Easy Basket. What are they about? Summary, EasyBasket needs a security fix. I am sure they will easy fix this.