If your client doesn't wish to release the source, you could always set up the system somewhere, and let us know where it is. This way we can bang on it and see if we can break it. Most of us have likely done similar systems and know possible pitfalls. If noone would see the source anyways, then we would be doing just the same as a black hat would. Maybe if someone finds a hole, you could donate X hours of pay to PerlMonks.

Cheers,
KM