[mcanitano]

We are wondering how to implement a way for customers to check their current order status without logging in. I know some customers either forget their passwords and don't reset it so they can login, and others aren't registered so they have no way of checking it if they delete their email we send them when it is updated.

Would any security issues arrive if we allowed customers to search through the order database by Order ID AND email (only showing results if the order ID corresponds to the input email address).

If not, where should we start? We're not really sure of the best method to do this.

We were thinking:

1. Create a PHP file that searches the entire order database using the two inputs from customer on our site (orderID & email)
2. find a match
3. return the results (limited results).
We wouldn't return valuable or secure information (we don't store CC data) such as any customer information, or anything that we might see as a security issue.