Did more work on letting the shop's web site take orders. Today I was sorting out some of the back end stuff like getting the site to send an email to me and to the customer letting us know that the order exists. It took a few iterations before I was convinced that I wasn't creating a potential injection vulnerability through the customer email field ie you don't want to do something stupid like:

system("sendmail UNTRUSTED_INPUT_HERE < /path/to/message");