Today, a guy posted the following querystring in the IRC:
cart/addItem.php?PID=191N033&PName=Rokenbok+RC+Dozer+04271+**WEB+SPECIAL**+ Regular+$75.95&PPrice=64.95&Plinecode=0&Pdepartment=0&PClient=E-net&version=0.8
As you see, the price of the product has been put in the querystring, so you can easily change the price you have to pay ;-)

Obviously, such mistakes are still made. I hope you do it better.