+%#untaint custnum
+%$cgi->param('custnum') =~ /^(\d+)$/
+% or die 'illegal custnum '. $cgi->param('custnum');
+%my $custnum = $1;
+%$cgi->param('pkgpart') =~ /^(\d+)$/
+% or die 'illegal pkgpart '. $cgi->param('pkgpart');
+%my $pkgpart = $1;
+%
+%my @cust_pkg = ();
+%my $error = FS::cust_pkg::order($custnum, [ $pkgpart ], [], \@cust_pkg, [ $cgi->param('refnum') ] );
+%
+%if ($error) {
+% $cgi->param('error', $error);
+% print $cgi->redirect(popurl(2). 'misc/order_pkg.html?'. $cgi->query_string );
+%} else {
+% my $frag = "cust_pkg". $cust_pkg[0]->pkgnum;
+<% header('Package ordered') %>
+ <SCRIPT TYPE="text/javascript">
+ // XXX fancy ajax rebuild table at some point, but a page reload will do for now