- You dont check for spaces in the name/password (or any fields for that matter, except the message formfield)
For the password, I don't care so much. If you're dumb enough to do that then it's your fault; I don't even know if the crack library is installed, so I won't waste time with a strength test. However I'll put a trim statement around the checks for both those.

- change password does not appear to be working.
I haven't tried it, but I'll verify that to be sure. I might've mistyped the query.

- no proper email validation.
No sendmail either, so no go there.

- when I post a message without a subject and submit the form, a blanc form is returned. Please, make it so that the message is not lost, and only the text in the subject field has to be added.
I could have sworn this was already in, but I found tons of typos in each upload.

In all, nice work for 9 hours
Thanks. I'm not a complete newbie, I work as a contractor doing some similar stuff, and worked on this in sections of split time. I missed tons of things between days and ended up cleaning up numerous times. I'll tackle a few of these things tonight/tomorrow, so thanks for testing them.

SQL/HTML are both neutered by the same function call; I made a simple "doctorStr" function that escapes and makes strings safe. Post length in the DB is 65K (word) characters.