Users must not be able to define unauthorised virtual locations/addresses such as:

Database table names. File system paths. Alert SMS or email messages. URL paths. All such properties must be defined by the ecommerce application itself, or drawn from a valid list of locations permitted for the user and their role.