Index: in-commerce/constants.php
===================================================================
--- in-commerce/constants.php	(revision 12146)
+++ in-commerce/constants.php	(revision 12147)
@@ -20,6 +20,12 @@
 	define('ORDER_STATUS_DENIED',		5);
 	define('ORDER_STATUS_ARCHIVED',		6);
 
+	/**
+	 * ID of order, that 100% not in database
+	 *
+	 */
+	define('FAKE_ORDER_ID', -1);
+
 	define('PRODUCT_TYPE_TANGIBLE',		1);
 	define('PRODUCT_TYPE_SUBSCRIPTION',	2);
 	define('PRODUCT_TYPE_SERVICE',		3);
Index: in-commerce/units/orders/orders_event_handler.php
===================================================================
--- in-commerce/units/orders/orders_event_handler.php	(revision 12146)
+++ in-commerce/units/orders/orders_event_handler.php	(revision 12147)
@@ -1047,77 +1047,113 @@
 	{
 		$event->setEventParam('raise_warnings', 0);
 		$passed = parent::getPassedID($event);
-		if( $this->Application->IsAdmin() ) return $passed;
+		if ( $this->Application->IsAdmin() ) {
+			// work as usual in admin
+			return $passed;
+		}
 
 		if ($event->Special == 'last') {
 			// return last order id (for using on thank you page)
 			return $this->Application->RecallVar('front_order_id');
 		}
 
-		$ses_id = $this->Application->RecallVar( $event->getPrefixSpecial(true).'_id' );
-		if ( $passed && ($passed != $ses_id) )
-		{
-			$query = 'SELECT PortalUserId FROM '.TABLE_PREFIX.'Orders WHERE OrderId = '.$passed;
-			$user_id = $this->Conn->GetOne($query);
-			if ($user_id != $this->Application->RecallVar('user_id'))
-			{
+		$ses_id = $this->Application->RecallVar( $event->getPrefixSpecial(true) . '_id' );
+		if ($passed && ($passed != $ses_id)) {
+			// order id given in url doesn't match our current order id
+			$sql = 'SELECT PortalUserId
+					FROM ' . TABLE_PREFIX . 'Orders
+					WHERE OrderId = ' . $passed;
+			$user_id = $this->Conn->GetOne($sql);
+
+			if ($user_id == $this->Application->RecallVar('user_id')) {
+				// current user is owner of order with given id -> allow him to view order details
+				return $passed;
+			}
+			else {
+				// current user is not owner of given order -> hacking attempt
 				$this->Application->SetVar($event->getPrefixSpecial().'_id', 0);
 				return 0;
 			}
-			else
-			{
-				return $passed;
-			}
 		}
-		else // not passed or equals to ses_id
-		{
-			if (!$ses_id)
-			{
-				$this->CreateNewCart($event);
-				return $this->Application->RecallVar($event->getPrefixSpecial(true).'_id');
-			}
-			else
-			{
-				return $ses_id;
-			}
+		else {
+			// not passed or equals to ses_id
+			return $ses_id > 0 ? $ses_id : FAKE_ORDER_ID; // FAKE_ORDER_ID helps to keep parent filter for order items set in "kDBList::linkToParent"
 		}
+
 		return $passed;
 	}
 
-	function CreateNewCart(&$event)
+	/**
+	 * Load item if id is available
+	 *
+	 * @param kEvent $event
+	 */
+	function LoadItem(&$event)
 	{
+		$id = $this->getPassedID($event);
+		if ($id == FAKE_ORDER_ID) {
+			// if we already know, that there is no such order,
+			// then don't run database query, that will confirm that
+
+			$object =& $event->getObject();
+			/* @var $object kDBItem */
+
+			$object->Clear($id);
+			return ;
+		}
+
+		parent::LoadItem($event);
+	}
+
+	/**
+	 * Creates new shopping cart
+	 *
+	 * @param kEvent $event
+	 */
+	function _createNewCart(&$event)
+	{
 		$object =& $event->getObject( Array('skip_autoload' => true) );
-		$new_number = $this->getNextOrderNumber($event);
-		$object->SetDBField('Number', $new_number);
+		/* @var $object kDBItem */
+
+		$object->SetDBField('Number', $this->getNextOrderNumber($event));
 		$object->SetDBField('SubNumber', 0);
-		$object->SetDBField('Type', 0); //incomplete
+		$object->SetDBField('Type', ORDER_STATUS_INCOMPLETE);
 		$object->SetDBField('VisitId', $this->Application->RecallVar('visit_id') );
 
+		// get user
 		$user_id = $this->Application->RecallVar('user_id');
-		if (!$user_id) $user_id = -2; //Guest
+		if (!$user_id) {
+			$user_id = -2; // Guest
+		}
 		$object->SetDBField('PortalUserId', $user_id);
 
+		// get affiliate
 		$affiliate_id = $this->isAffiliate($user_id);
-		if($affiliate_id)
-		{
+		if ($affiliate_id) {
 			$object->SetDBField('AffiliateId', $affiliate_id);
 		}
-		else
-		{
+		else {
 			$affiliate_storage_method = $this->Application->ConfigValue('Comm_AffiliateStorageMethod');
 			$object->SetDBField('AffiliateId', $affiliate_storage_method == 1 ? (int)$this->Application->RecallVar('affiliate_id') : (int)$this->Application->GetVar('affiliate_id') );
 		}
 
+		// get payment type
 		$default_type = $this->Conn->GetOne('SELECT PaymentTypeId FROM '.TABLE_PREFIX.'PaymentTypes WHERE IsPrimary = 1');
-		if($default_type)
-		{
+		if ($default_type) {
 			$object->SetDBField('PaymentType', $default_type);
 		}
 
-		$object->Create();
+		$created = $object->Create();
+		if ($created) {
+			$id = $object->GetID();
 
-		$this->Application->SetVar($event->getPrefixSpecial(true).'_id', $object->GetId());
-		$this->Application->StoreVar($event->getPrefixSpecial(true).'_id', $object->GetId());
+			$this->Application->SetVar($event->getPrefixSpecial(true) . '_id', $id);
+			$this->Application->StoreVar($event->getPrefixSpecial(true) . '_id', $id);
+
+			return $id;
+		}
+
+		return 0;
 	}
 
 	function StoreContinueShoppingLink()
@@ -1822,7 +1858,8 @@
 	function getNextOrderNumber(&$event)
 	{
 		$object =& $event->getObject();
-		$sql = 'SELECT MAX(Number) FROM '.$this->Application->GetLiveName($object->TableName);
+		$sql = 'SELECT MAX(Number)
+				FROM ' . $this->Application->GetLiveName($object->TableName);
 		return max($this->Conn->GetOne($sql) + 1, $this->Application->ConfigValue('Comm_Next_Order_Number'));
 	}
 
@@ -2588,21 +2625,35 @@
 
 		// Loading product to add
 		$product =& $this->Application->recallObject('p.toadd', null, Array('skip_autoload' => true));
+		/* @var $product kDBItem */
+
 		$product->Load($item_id);
 
-
 		$object =& $this->Application->recallObject('orditems.-item', null, Array('skip_autoload' => true));
+		/* @var $object kDBItem */
 
 		$order =& $this->Application->recallObject('ord');
+		/* @var $order kDBItem */
+
+		if (!$order->isLoaded() && !$this->Application->IsAdmin()) {
+			// no order was created before -> create one now
+			if ($this->_createNewCart($event)) {
+				$this->LoadItem($event);
+			}
+		}
+
+		if (!$order->isLoaded()) {
+			// was unable to create new order
+			return false;
+		}
+
 		$ord_id = $order->GetID();
 
-		if($item_data = $event->getEventParam('ItemData'))
-		{
+		if ($item_data = $event->getEventParam('ItemData')) {
 			$item_data = unserialize($item_data);
 		}
-		else
-		{
-			$item_data = Array();
+		else {
+			$item_data = Array ();
 		}
 
 		$options = getArrayValue($item_data, 'Options');
@@ -2763,7 +2814,10 @@
 		$order =& $event->getObject();
 		/* @var $order OrdersItem */
 
-		if ( !$order->isLoaded() ) $this->LoadItem($event); // try to load
+		if ( !$order->isLoaded() ) {
+			$this->LoadItem($event); // try to load
+		}
+
 		$ord_id = (int)$order->GetID();
 
 		if ( !$order->isLoaded() ) return; //order has not been created yet
Index: in-commerce/units/orders/orders_tag_processor.php
===================================================================
--- in-commerce/units/orders/orders_tag_processor.php	(revision 12146)
+++ in-commerce/units/orders/orders_tag_processor.php	(revision 12147)
@@ -43,21 +43,27 @@
 
 		function PrintCompanyLocation($params)
 		{
-			$fields = Array('City','State','ZIP','Country');
 			$ret = '';
-			foreach($fields as $field)
-			{
+			$fields = Array ('City','State','ZIP','Country');
+
+			foreach ($fields as $field) {
 				$value = $this->Application->ConfigValue('Comm_'.$field);
-				if($field == 'Country')
-				{
+				if ($field == 'Country') {
 					$sql = 'SELECT DestName
 							FROM '.TABLE_PREFIX.'StdDestinations
 							WHERE DestAbbr = '.$this->Conn->qstr($value);
 					$value = $this->Application->Phrase( $this->Conn->GetOne($sql) );
 				}
-				if ($field == 'Country' && $value) $ret .= '<br/>';
-				if($value) $ret .= $value.', ';
+
+				if ($field == 'Country' && $value) {
+					$ret .= '<br/>';
+				}
+
+				if ($value) {
+					$ret .= $value.', ';
+				}
 			}
+
 			return rtrim($ret,', ');
 		}
 
@@ -89,18 +95,17 @@
 			$o = '';
 
 			$params['render_as'] = $params['item_render_as'];
+			$tag_params = array_merge($params, Array ('per_page' => -1));
 
-			$o_items = $this->Application->ProcessParsedTag(rtrim('orditems.'.$this->Special, '.'), 'PrintList', 	array_merge($params, Array(
-					'per_page' => -1
-			)) );
-			if ($o_items){
+			$o_items = $this->Application->ProcessParsedTag(rtrim('orditems.'.$this->Special, '.'), 'PrintList', $tag_params);
 
+			if ($o_items) {
 				$cart_params = array('name' => $params['header_render_as']);
 				$o  = $this->Application->ParseBlock($cart_params);
 				$o .= $o_items;
 				$cart_params = array('name' => $params['footer_render_as']);
 				$o .= $this->Application->ParseBlock($cart_params);
-			}else {
+			} else {
 				$cart_params = array('name' => $params['empty_cart_render_as']);
 				$o = $this->Application->ParseBlock($cart_params);
 			}
@@ -121,11 +126,12 @@
 			return $object->GetDBField('BackOrderFlag');
 		}
 
-		function OrderIcon($params){
+		function OrderIcon($params)
+		{
 			$object =& $this->Application->recallObject('orditems');
-			if ($object->GetDBField('BackOrderFlag')==0){
+			if ($object->GetDBField('BackOrderFlag') == 0) {
 				return $params['ordericon'];
-			}else{
+			} else {
 				return $params['backordericon'];
 			}
 		}
@@ -179,8 +185,8 @@
 			$order_id = $this->Application->RecallVar('ord_id');
 			if ($order_id) {
 				$sql = 'SELECT COUNT(*)
-						FROM '.TABLE_PREFIX.'OrderItems
-						WHERE OrderId = '.$order_id;
+						FROM ' . TABLE_PREFIX . 'OrderItems
+						WHERE OrderId = ' . $order_id;
 				return $this->Conn->GetOne($sql);
 			}
 
@@ -195,7 +201,13 @@
 		function CartHasBackorders($params)
 		{
 			$object =& $this->getObject($params);
-			$different_types = $this->Conn->GetCol('SELECT COUNT(*) FROM '.TABLE_PREFIX.'OrderItems WHERE OrderId = '.$object->GetID().' GROUP BY BackOrderFlag');
+
+			$sql = 'SELECT COUNT(*)
+					FROM ' . TABLE_PREFIX . 'OrderItems
+					WHERE OrderId = ' . $object->GetID() . '
+					GROUP BY BackOrderFlag';
+			$different_types = $this->Conn->GetCol($sql);
+
 			return count($different_types) > 1;
 		}
 
@@ -649,7 +661,8 @@
 			return $o;
 		}
 
-		function ShowOrder($params){
+		function ShowOrder($params)
+		{
 
 			$order_params = $this->prepareTagParams($params);
 //			$order_params['Special'] = 'myorders';
@@ -678,21 +691,19 @@
 			return crc32($list_unique_key);
 		}
 
-		function ListOrders($params){
-
+		function ListOrders($params)
+		{
 			$o = '';
-
 			$params['render_as'] = $params['item_render_as'];
 
 			$o_orders = $this->PrintList2($params);
 
-			if ($o_orders){
-
+			if ($o_orders) {
 				$orders_params = array('name' => $params['header_render_as']);
 				$o  = $this->Application->ParseBlock($orders_params);
 				$o .= $o_orders;
 
-			}else {
+			} else {
 				$orders_params = array('name' => $params['empty_myorders_render_as']);
 				$o = $this->Application->ParseBlock($orders_params);
 			}
@@ -869,6 +880,9 @@
 		function OrderHasTangibleItems($params)
 		{
 			$object =& $this->getObject($params);
+			if ($object->GetID() == FAKE_ORDER_ID) {
+				return false;
+			}
 
 			$sql = 'SELECT COUNT(*)
 					FROM '.TABLE_PREFIX.'OrderItems orditems