diff --git a/backend/db.js b/backend/db.js
index 34e5835..fedadde 100644
--- a/backend/db.js
+++ b/backend/db.js
@@ -242,6 +242,23 @@ export const database = {
 
   createOrder({ spotId, userId, items }) {
     const parsedItems = items.map((item) => {
+      if (
+        !item || 
+        typeof item!== 'object' || 
+        Array.isArray(item)
+      ) 
+      {
+        throw new Error('Invalid item format');
+      }
+      if(
+        //if item has it's own property
+        Object.prototype.hasOwnProperty.call(item, 'name') ||
+        Object.prototype.hasOwnProperty.call(item, 'unitPrice') ||
+        Object.prototype.hasOwnProperty.call(item, 'total')
+      )
+      {
+      throw new Error('Do not provide name, unitPrice, or total. These are derived from catalog. ')
+      }
       const quantity = Number(item.quantity || 0);
       if (!item.productId || !Number.isInteger(quantity) || quantity <= 0) {
         throw new Error('Each order item must include productId and a positive integer quantity');