Hi,
When using PHP & PayPal, you should always configure your script to validate any incoming links. The problem is not having a return URL, is actually not processing the return properly. I can help you fix that.
I can also help you use encryption to prevent users from seeing it anyway.
Let me know if you have any questions. You can see my reviews also.
(I'm in Costa Rica, similar timezone to the USA, that should help us coordinate).
Thanks in advance!
Leo