I ditto Masem's answer (glad I hit Refresh before replying :).

I think you really should use a database for this. Whatever you do, don't have the CGI params determine what the filename is... I've been able to use shopping cart scripts to look at arbitrary files on their system including /etc/passwd and the script itself by using a URL like

http://foo.com/cgi-bin/cart.pl?....&FILE=../../../cgi-bin/cart.pl
[download]

basically getting arbitrary information from their system. (I let them know through a throw-away hotmail account and surfed the site through safeweb.com -- be careful when telling people you were probing their shopping cart)

Like Masem said avoid putting information into a cookie, another reason being so that people can't set their prices arbitrarily. If you're processing orders "in house", then you might be more likely to overlook that somebody gave themself a rebate. Anyway, if you can avoid cookies, you should try to.