It's not that customers are able to add the same item to cart - the item is the form id and I believe we've fixed that issue - it's that they appear to be able to create a new order, in the orders table, even if the form id is already associated with an existing order in that table. That shouldn't be possible.
Also, we had a customer today, form reference 13179, who was able to progress to PayPal without even writing an order to the orders table! :S
Add to Cart is on two pages....
1) health-screening-form.php - This is the page that customers use to create and complete a new order.
2) view-order.php - This is the page that customers use to complete a partially completed order.
I believe that the problems that are occurring are with people who are part completing an order and then either returning to the website at a later date - at which time they're asked to log in and complete the existing order - or, alternatively, they are simply pulling up cached pages in their browser and trying to complete the process.
Either way, something is seriously wrong in the loop and just when I think I have one problem solved, a customer comes along and seems to be able to completely circumnavigate the proper flow of purchase.
I have tested the website numerous times, on all browsers, in Sandbox and Live mode and I just can't replicate any of it.
Hope you can see where it's going wrong via the log files.