Yeah I was doing a writeup as things went on at 1 am despite being on the road for a few too many hours that day.
First I am really am not a web security type or even much of a web developer- I mean I know basic computer science and roughly how most of these web languages work as well as standard attacks but my code fragments were largely copied and pasted even though they were basic and it would have probably been quicker to type them. In short there are script kiddies out there that probably know way more than I do about this sort of thing and where you would have to try very hard to maintain a virus/infection on a machine I have access to and responsibility for much of web stuff sails right over my head (I would not call me to optimise a or even really understand a SQL driven website much less secure it).
I guess you declared a 32bit signed value for the order number (either accidentally or to allow people to remove multiples and even then I would just make it a signed value and allow people to change that) and it it was for a small business I guess it would be manually fulfilled so someone would catch it. If however you had it go to an auto completion side in a warehouse or someone that was not about to check things (say an intern asked to grab orders off the shelf* and stick them in the post) you as a business could be left holding the bag for a little while which has killed more than a few businesses or losing the money entirely which has definitely killed more than a few businesses.
*worse is a negative symbol could be overlooked/assumed to be a printer error or even a lead in mark so I could get my positive order and the stuff from my negative and not have to pay or if things went really wrong your system ends up paying me (it sees me as a debt/refund or something similar).
The HTML injection stuff... the only times you want to have people able to put HTML and/or javascript in a website is if they are staff for it or otherwise trusted or you parse it to remove everything but a small subset of instructions (links, maybe pictures, text formatting (bold, italic and what have you) and not much else)- it is pretty much the reason why bbcode exists. To make matters worse I could effect post anonymously and indeed by a bot (no bot checks) and include full HTML and javascript which scares me no end- I include a micro iframe to a site I control and that either has malware on it (many web security packages will flag this) or I have just gained the ability to see who visits your site, to do some spamming, to do some black hat SEO all in addition to the whole ability to host things for free on your site we already covered. This alone means I would be inclined to pull even this test site from the web* (I am guessing your local legal system is not very clued up on tech and you really do not want to have to explain why you are now hosting a link farm or worse to some unpleasant content should someone with actual bad intentions come along- you are now listed in google at least) or at least make it reset every 10 minutes or so (probably not an easy option on your current host).
Depending upon how it is parsed it might also allow php to be included which would be very very bad (I tried something basic just now a couple of times and it did not take (various parts of it ended up as comments where others did not) but I probably screwed it up and might be able to pull it back- if it leaves comments and adds something that might be enough to trick it).
*get your students a copy of http://www.uniformserver.com/ or something for them to learn on if you have not already. Also if I may be so bold it might be better to get them an existing shop framework to customise/reverse engineer or get them to build something with a bit less potential to cause serious issues (making a basic blog, guestbook or image gallery will teach all the same things)- you really do not want some students using this as a commercial website and if my experience with such matters is anything to go by copy, paste and change the relevant names is a sound idea for most beginners/students for this sort of thing (if you have marked essays and exams how many times have you had an almost word for word copy of your lecture notes/the textbook come back at you or indeed done something similar yourself).
I had not meant to imply using credit card numbers as authentication/username was a good thing (it really isn't). I should also mention credit card numbers have a habit of changing with time so if a company/person wants to maintain an order history it is best that is not the sole thing.
