You skip past all this code and just set p = 0.01 in Firebug. Refresh the page and now your item's price is $0.01. This works in at least 20-30% of all the small-to-medium enterprise AJAX carts I've informally tested it on. Having never checked out (that would be theft) with this modified value, it's impossible to say if those same retailers were using proper serverside validation in the checkout process. I'd guess not, given their lackluster approach to AJAX security.
In the shopping cart example product ids would be saved server-side and prices would be calculated by checking those ids against the db. If the user wants to change the page to show "foobar" instead of the real product name and 0.01 euros instead of the real price is his right but it would not change is order.
How would you avoid such a "vulnerabily" by the way?