Anybody starting out with Commerce Server 2007 have been in the same situation, lacking ressources for training, as these have been virtually non-existant. This obviously leaves the learning curve rather steep, as you are pretty much on your own.

I started out with a clean install on a Virtual PC, a copy of the Starter Site and a lot of time experimenting and trying things out. Thats a pretty good way of learning, but you could really save a lot of time if you had a few training ressources to get you started, and to explain the basics.

Well this is your lucky day, because Max Akbar has just announced on his blog, that there is upcoming training material, that is in the final testing phase, and that - within two weeks - will be published to MSLearing .

Furthermore there seems to be plans for a book, so this is very exciting. If you'r working with, or have an interest in, Commerce Server - be sure to subscribe to Max's blog feed .

It so annoying. You probably know the feeling when your shopping on the internet, and you found a great webshop, and even a product that you simply must own. You have put the item in the shopping basket and you have a firm grip of your credit card when you go to the checkout, ready to pay the quoted price. And what do you see: a coupon code field!

So if you were amongst the selected few, you would have had a coupon code giving you a percentage discount of the product you have chosen. But you don't have the code, and you can't help feeling a little cheatet out of the discount, if you were to buy it anyway.

The other day my girlfriend was bying a pair of Gucci shoes, from a renowned webshop, and she asked me where she would get that coupon code, because the shoes were probably to expensive for her budget, so if she could save something, she could convince herself that i would be okay to buy them anyway.

I told her that I didn't know, but as a joke, I said that she could always use the Universal coupon code, with a referral to the good old days, where nobody thought about SQL injections. Obviously she didn't consider it funny, and demanded to get the code. I told her to write 'or'1'='1 in the field thinking that it wouldn't work. But she pressed the button, and low and behold - she got 20% discount of a $600 pair of shoes.

That left me thinkink that this must be a fluke. With all the hype about SQL injections, I was absolutely sure that it would not be possible to reproduce this anywhere else. But I was wrong. In the last couple of days I have tried this on more than 20 different shops on the internet, small and large, and 3 times i succeded in retrieving a discount from the database.

So to all webshop owners out there I would like to iterate: Make sure that text coming from user input is always validated to avoid this situation, and to be sure, tell your developers that they should always use parameterized queries or stored procedures. Its not only a question of a few people getting discounts, its much worse - people might be able to wreck havock in your database with a little more ingenuity.

Im going to leave the ethical debate about utilizing discounts that weren't intended for your, and that were provided by hacking the system, to the comments.

On a side note i would like to encourage everybody always to google for a coupon code, as many coupon codes are made available online to communities and such, and theres no reason why you should miss out on that.