diff -urN punbb-1.2.1/upload/admin_forums.php punbb-1.2.2/upload/admin_forums.php
--- punbb-1.2.1/upload/admin_forums.php	Tue Jan 11 20:41:14 2005
+++ punbb-1.2.2/upload/admin_forums.php	Fri Feb 18 22:05:02 2005
@@ -229,6 +229,9 @@
 
 	// Fetch forum info
 	$result = $db->query('SELECT id, forum_name, forum_desc, redirect_url, num_topics, sort_by, cat_id FROM '.$db->prefix.'forums WHERE id='.$forum_id) or error('Unable to fetch forum info', __FILE__, __LINE__, $db->error());
+	if (!$db->num_rows($result))
+		message($lang_common['Bad request']);
+
 	$cur_forum = $db->fetch_assoc($result);
 
 
diff -urN punbb-1.2.1/upload/admin_groups.php punbb-1.2.2/upload/admin_groups.php
--- punbb-1.2.1/upload/admin_groups.php	Tue Feb  1 16:16:46 2005
+++ punbb-1.2.2/upload/admin_groups.php	Fri Feb 18 22:05:02 2005
@@ -54,6 +54,9 @@
 			message($lang_common['Bad request']);
 
 		$result = $db->query('SELECT * FROM '.$db->prefix.'groups WHERE g_id='.$group_id) or error('Unable to fetch user group info', __FILE__, __LINE__, $db->error());
+		if (!$db->num_rows($result))
+			message($lang_common['Bad request']);
+
 		$group = $db->fetch_assoc($result);
 
 		$mode = 'edit';
diff -urN punbb-1.2.1/upload/admin_loader.php punbb-1.2.2/upload/admin_loader.php
--- punbb-1.2.1/upload/admin_loader.php	Tue Jan 11 20:41:14 2005
+++ punbb-1.2.2/upload/admin_loader.php	Thu Feb 24 22:15:54 2005
@@ -36,8 +36,8 @@
 
 
 // The plugin to load should be supplied via GET
-$plugin = isset($_GET['plugin']) ? $_GET['plugin'] : null;
-if (!$plugin)
+$plugin = isset($_GET['plugin']) ? $_GET['plugin'] : '';
+if (!preg_match('/^AM?P_(\w*?)\.php$/i', $plugin))
 	message($lang_common['Bad request']);
 
 // AP_ == Admins only, AMP_ == admins and moderators
@@ -49,6 +49,9 @@
 if (!file_exists(PUN_ROOT.'plugins/'.$plugin))
 	message('There is no plugin called \''.$plugin.'\' in the plugin directory.');
 
+// Construct REQUEST_URI if it isn't set
+if (!isset($_SERVER['REQUEST_URI']))
+	$_SERVER['REQUEST_URI'] = (isset($_SERVER['PHP_SELF']) ? $_SERVER['PHP_SELF'] : '').'?'.(isset($_SERVER['QUERY_STRING']) ? $_SERVER['QUERY_STRING'] : '');
 
 $page_title = pun_htmlspecialchars($pun_config['o_board_title']).' / Admin / '.$plugin;
 require PUN_ROOT.'header.php';
diff -urN punbb-1.2.1/upload/footer.php punbb-1.2.2/upload/footer.php
--- punbb-1.2.1/upload/footer.php	Tue Jan 11 20:41:14 2005
+++ punbb-1.2.2/upload/footer.php	Tue Feb 22 23:31:02 2005
@@ -140,12 +140,12 @@
 
 
 // START SUBST - <pun_include "*">
-while (preg_match('<pun_include "(.*?)">', $tpl_main, $cur_include))
+while (preg_match('/<pun_include "(.*?)">/', $tpl_main, $cur_include))
 {
 	ob_start();
 	include PUN_ROOT.$cur_include[1];
 	$tpl_temp = ob_get_contents();
-	$tpl_main = str_replace('<'.$cur_include[0].'>', $tpl_temp, $tpl_main);
+	$tpl_main = str_replace($cur_include[0], $tpl_temp, $tpl_main);
     ob_end_clean();
 }
 // END SUBST - <pun_include "*">
diff -urN punbb-1.2.1/upload/include/email.php punbb-1.2.2/upload/include/email.php
--- punbb-1.2.1/upload/include/email.php	Mon Jan 31 18:56:12 2005
+++ punbb-1.2.2/upload/include/email.php	Fri Feb 18 22:05:02 2005
@@ -71,12 +71,12 @@
 	$from = str_replace(':', ' ', $from);
 
 	// Detect what linebreak we should use for the headers
-	if (strtoupper(substr(PHP_OS, 0, 3) == 'WIN'))
-		$eol = "\r\n";
-	else if (strtoupper(substr(PHP_OS, 0, 3) == 'MAC'))
-		$eol = "\r";
-	else
-		$eol = "\n";
+	if (strtoupper(substr(PHP_OS, 0, 3) == 'WIN'))
+		$eol = "\r\n";
+	else if (strtoupper(substr(PHP_OS, 0, 3) == 'MAC'))
+		$eol = "\r";
+	else
+		$eol = "\n";
 
 	$headers = 'From: '.$from.$eol.'Date: '.date('r').$eol.'MIME-Version: 1.0'.$eol.'Content-transfer-encoding: 8bit'.$eol.'Content-type: text/plain; charset='.$lang_common['lang_encoding'].$eol.'X-Mailer: PunBB Mailer';
 
diff -urN punbb-1.2.1/upload/include/functions.php punbb-1.2.2/upload/include/functions.php
--- punbb-1.2.1/upload/include/functions.php	Sat Jan 29 17:12:52 2005
+++ punbb-1.2.2/upload/include/functions.php	Mon Feb 21 21:00:14 2005
@@ -108,6 +108,9 @@
 
 	// Fetch guest user
 	$result = $db->query('SELECT u.*, g.*, o.logged FROM '.$db->prefix.'users AS u INNER JOIN '.$db->prefix.'groups AS g ON u.group_id=g.g_id LEFT JOIN '.$db->prefix.'online AS o ON o.ident=\''.$remote_addr.'\' WHERE u.id=1') or error('Unable to fetch guest information', __FILE__, __LINE__, $db->error());
+	if (!$db->num_rows($result))
+		exit('Unable to fetch guest information. The table \''.$db->prefix.'users\' must contain an entry with id = 1 that represents anonymous users.');
+
 	$pun_user = $db->fetch_assoc($result);
 
 	// Update online list
@@ -229,40 +232,40 @@
 	global $pun_config, $lang_common, $pun_user;
 
 	// Index and Userlist should always be displayed
-	$links[] = '<li id="navindex"><a href="index.php">'.$lang_common['Index'].'</a>';
-	$links[] = '<li id="navuserlist"><a href="userlist.php">'.$lang_common['User list'].'</a>';
+	$links[] = '<li id="navindex"><a href="index.php">'.$lang_common['Index'].'</a>';
+	$links[] = '<li id="navuserlist"><a href="userlist.php">'.$lang_common['User list'].'</a>';
 
 	if ($pun_config['o_rules'] == '1')
-		$links[] = '<li id="navrules"><a href="misc.php?action=rules">'.$lang_common['Rules'].'</a>';
+		$links[] = '<li id="navrules"><a href="misc.php?action=rules">'.$lang_common['Rules'].'</a>';
+
+	if ($pun_user['is_guest'])
+	{
+		if ($pun_user['g_search'] == '1')
+			$links[] = '<li id="navsearch"><a href="search.php">'.$lang_common['Search'].'</a>';
+
+		$links[] = '<li id="navregister"><a href="register.php">'.$lang_common['Register'].'</a>';
+		$links[] = '<li id="navlogin"><a href="login.php">'.$lang_common['Login'].'</a>';
 
-	if ($pun_user['is_guest'])
-	{
-		if ($pun_user['g_search'] == '1')
-			$links[] = '<li id="navsearch"><a href="search.php">'.$lang_common['Search'].'</a>';
-
-		$links[] = '<li id="navregister"><a href="register.php">'.$lang_common['Register'].'</a>';
-		$links[] = '<li id="navlogin"><a href="login.php">'.$lang_common['Login'].'</a>';
-
-		$info = $lang_common['Not logged in'];
-	}
+		$info = $lang_common['Not logged in'];
+	}
 	else
-	{
-		if ($pun_user['g_id'] > PUN_MOD)
-		{
-			if ($pun_user['g_search'] == '1')
-				$links[] = '<li id="navsearch"><a href="search.php">'.$lang_common['Search'].'</a>';
-
-			$links[] = '<li id="navprofile"><a href="profile.php?id='.$pun_user['id'].'">'.$lang_common['Profile'].'</a>';
-			$links[] = '<li id="navlogout"><a href="login.php?action=out&amp;id='.$pun_user['id'].'">'.$lang_common['Logout'].'</a>';
-		}
-		else
-		{
-			$links[] = '<li id="navsearch"><a href="search.php">'.$lang_common['Search'].'</a>';
-			$links[] = '<li id="navprofile"><a href="profile.php?id='.$pun_user['id'].'">'.$lang_common['Profile'].'</a>';
-			$links[] = '<li id="navadmin"><a href="admin_index.php">'.$lang_common['Admin'].'</a>';
-			$links[] = '<li id="navlogout"><a href="login.php?action=out&amp;id='.$pun_user['id'].'">'.$lang_common['Logout'].'</a>';
-		}
-	}
+	{
+		if ($pun_user['g_id'] > PUN_MOD)
+		{
+			if ($pun_user['g_search'] == '1')
+				$links[] = '<li id="navsearch"><a href="search.php">'.$lang_common['Search'].'</a>';
+
+			$links[] = '<li id="navprofile"><a href="profile.php?id='.$pun_user['id'].'">'.$lang_common['Profile'].'</a>';
+			$links[] = '<li id="navlogout"><a href="login.php?action=out&amp;id='.$pun_user['id'].'">'.$lang_common['Logout'].'</a>';
+		}
+		else
+		{
+			$links[] = '<li id="navsearch"><a href="search.php">'.$lang_common['Search'].'</a>';
+			$links[] = '<li id="navprofile"><a href="profile.php?id='.$pun_user['id'].'">'.$lang_common['Profile'].'</a>';
+			$links[] = '<li id="navadmin"><a href="admin_index.php">'.$lang_common['Admin'].'</a>';
+			$links[] = '<li id="navlogout"><a href="login.php?action=out&amp;id='.$pun_user['id'].'">'.$lang_common['Logout'].'</a>';
+		}
+	}
 
 	// Are there any additional navlinks we should insert into the array before imploding it?
 	if ($pun_config['o_additional_navlinks'] != '')
@@ -271,11 +274,11 @@
 		{
 			// Insert any additional links into the $links array (at the correct index)
 			for ($i = 0; $i < count($extra_links[1]); ++$i)
-				array_splice($links, $extra_links[1][$i], 0, array('<li id="navextra'.($i + 1).'">'.$extra_links[2][$i]));
+				array_splice($links, $extra_links[1][$i], 0, array('<li id="navextra'.($i + 1).'">'.$extra_links[2][$i]));
 		}
 	}
 
-	return '<ul>'."\n\t\t\t\t".implode($lang_common['Link separator'].'</li>'."\n\t\t\t\t", $links).'</li>'."\n\t\t\t".'</ul>';
+	return '<ul>'."\n\t\t\t\t".implode($lang_common['Link separator'].'</li>'."\n\t\t\t\t", $links).'</li>'."\n\t\t\t".'</ul>';
 }
 
 
diff -urN punbb-1.2.1/upload/install.php punbb-1.2.2/upload/install.php
--- punbb-1.2.1/upload/install.php	Thu Feb  3 17:40:56 2005
+++ punbb-1.2.2/upload/install.php	Thu Feb 24 22:30:58 2005
@@ -24,7 +24,7 @@
 
 
 // The PunBB version this script installs
-$punbb_version = '1.2.1';
+$punbb_version = '1.2.2';
 
 
 define('PUN_ROOT', './');
@@ -33,7 +33,7 @@
 
 
 // Make sure we are running at least PHP 4.1.0
-if (version_compare(PHP_VERSION, '4.1.0', '<'))
+if (intval(str_replace('.', '', phpversion())) < 410)
 	exit('You are running PHP version '.PHP_VERSION.'. PunBB requires at least PHP 4.1.0 to run properly. You must upgrade your PHP installation before you can continue.');
 
 // Disable error reporting for uninitialized variables
diff -urN punbb-1.2.1/upload/login.php punbb-1.2.2/upload/login.php
--- punbb-1.2.1/upload/login.php	Sun Jan 16 15:50:28 2005
+++ punbb-1.2.2/upload/login.php	Mon Feb 21 23:33:52 2005
@@ -91,8 +91,9 @@
 	// Remove user from "users online" list.
 	$db->query('DELETE FROM '.$db->prefix.'online WHERE user_id='.$pun_user['id']) or error('Unable to delete from online list', __FILE__, __LINE__, $db->error());
 
-	// Update last_visit
-	$db->query('UPDATE '.$db->prefix.'users SET last_visit='.$pun_user['logged'].' WHERE id='.$pun_user['id']) or error('Unable to update user visit data', __FILE__, __LINE__, $db->error());
+	// Update last_visit (make sure there's something to update it with)
+	if (isset($pun_user['logged']))
+		$db->query('UPDATE '.$db->prefix.'users SET last_visit='.$pun_user['logged'].' WHERE id='.$pun_user['id']) or error('Unable to update user visit data', __FILE__, __LINE__, $db->error());
 
 	pun_setcookie(1, random_pass(8), time() + 31536000);
 
diff -urN punbb-1.2.1/upload/moderate.php punbb-1.2.2/upload/moderate.php
--- punbb-1.2.1/upload/moderate.php	Tue Feb  1 16:16:46 2005
+++ punbb-1.2.2/upload/moderate.php	Thu Feb 24 22:16:34 2005
@@ -98,6 +98,9 @@
 		{
 			confirm_referrer('moderate.php');
 
+			if (preg_match('/[^0-9,]/', $posts))
+				message($lang_common['Bad request']);
+
 			// Delete the posts
 			$db->query('DELETE FROM '.$db->prefix.'posts WHERE id IN('.$posts.')') or error('Unable to delete posts', __FILE__, __LINE__, $db->error());
 
@@ -278,6 +281,9 @@
 	{
 		confirm_referrer('moderate.php');
 
+		if (preg_match('/[^0-9,]/', $_POST['topics']))
+			message($lang_common['Bad request']);
+
 		$topics = explode(',', $_POST['topics']);
 		$move_to_forum = intval($_POST['move_to_forum']);
 		if (empty($topics) || $move_to_forum < 1)
@@ -394,6 +400,9 @@
 	{
 		confirm_referrer('moderate.php');
 
+		if (preg_match('/[^0-9,]/', $topics))
+			message($lang_common['Bad request']);
+
 		require PUN_ROOT.'include/search_idx.php';
 
 		// Delete the topics and any redirect topics
@@ -459,7 +468,7 @@
 	{
 		confirm_referrer('moderate.php');
 
-		$topics = isset($_POST['topics']) ? $_POST['topics'] : array();
+		$topics = isset($_POST['topics']) ? @array_map('intval', @array_keys($_POST['topics'])) : array();
 		if (empty($topics))
 			message($lang_misc['No topics selected']);
 
diff -urN punbb-1.2.1/upload/profile.php punbb-1.2.2/upload/profile.php
--- punbb-1.2.1/upload/profile.php	Tue Feb  1 16:16:46 2005
+++ punbb-1.2.2/upload/profile.php	Thu Feb 24 22:16:34 2005
@@ -223,7 +223,7 @@
 		}
 
 		// Check if someone else already has registered with that e-mail address
-		$result = $db->query('SELECT id, username FROM '.$db->prefix.'users WHERE email=\''.$new_email.'\'') or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());
+		$result = $db->query('SELECT id, username FROM '.$db->prefix.'users WHERE email=\''.$db->escape($new_email).'\'') or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());
 		if ($db->num_rows($result))
 		{
 			if ($pun_config['p_allow_dupe_email'] == '0')
@@ -243,7 +243,7 @@
 
 		$new_email_key = random_pass(8);
 
-		$db->query('UPDATE '.$db->prefix.'users SET activate_string=\''.$new_email.'\', activate_key=\''.$new_email_key.'\' WHERE id='.$id) or error('Unable to update activation data', __FILE__, __LINE__, $db->error());
+		$db->query('UPDATE '.$db->prefix.'users SET activate_string=\''.$db->escape($new_email).'\', activate_key=\''.$new_email_key.'\' WHERE id='.$id) or error('Unable to update activation data', __FILE__, __LINE__, $db->error());
 
 		// Load the "activate e-mail" template
 		$mail_tpl = trim(file_get_contents(PUN_ROOT.'lang/'.$pun_user['language'].'/mail_templates/activate_email.tpl'));
@@ -711,7 +711,7 @@
 		{
 			$form = extract_elements(array('realname', 'url', 'location'));
 
-			if ($pun_user['g_id'] < PUN_GUEST)
+			if ($pun_user['g_id'] == PUN_ADMIN)
 				$form['title'] = trim($_POST['title']);
 			else if ($pun_user['g_set_title'] == '1')
 			{
@@ -819,7 +819,7 @@
 	// Singlequotes around non-empty values and NULL for empty values
 	while (list($key, $input) = @each($form))
 	{
-		$value = ($input != '') ? '\''.$db->escape($input).'\'' : 'NULL';
+		$value = ($input !== '') ? '\''.$db->escape($input).'\'' : 'NULL';
 
 		$temp[] = $key.'='.$value;
 	}
@@ -1182,7 +1182,7 @@
 	}
 	else if ($section == 'personal')
 	{
-		if ($pun_user['g_set_title'] == '1' || $pun_user['g_id'] < PUN_GUEST)
+		if ($pun_user['g_set_title'] == '1')
 			$title_field = '<label>'.$lang_common['Title'].'&nbsp;&nbsp;(<em>'.$lang_profile['Leave blank'].'</em>)<br /><input type="text" name="title" value="'.pun_htmlspecialchars($user['title']).'" size="30" maxlength="50" /><br /></label>'."\n";
 
 		$page_title = pun_htmlspecialchars($pun_config['o_board_title']).' / '.$lang_common['Profile'];
diff -urN punbb-1.2.1/upload/register.php punbb-1.2.2/upload/register.php
--- punbb-1.2.1/upload/register.php	Tue Jan 11 20:41:14 2005
+++ punbb-1.2.2/upload/register.php	Thu Feb 24 22:16:34 2005
@@ -180,7 +180,7 @@
 	$password_hash = pun_hash($password1);
 
 	// Add the user
-	$db->query('INSERT INTO '.$db->prefix.'users (username, group_id, password, email, email_setting, save_pass, timezone, language, style, registered, registration_ip, last_visit) VALUES(\''.$db->escape($username).'\', '.$intial_group_id.', \''.$password_hash.'\', \''.$email1.'\', '.$email_setting.', '.$save_pass.', '.$timezone.' , \''.$language.'\', \''.$pun_config['o_default_style'].'\', '.$now.', \''.get_remote_address().'\', '.$now.')') or error('Unable to create user', __FILE__, __LINE__, $db->error());
+	$db->query('INSERT INTO '.$db->prefix.'users (username, group_id, password, email, email_setting, save_pass, timezone, language, style, registered, registration_ip, last_visit) VALUES(\''.$db->escape($username).'\', '.$intial_group_id.', \''.$password_hash.'\', \''.$email1.'\', '.$email_setting.', '.$save_pass.', '.$timezone.' , \''.$db->escape($language).'\', \''.$pun_config['o_default_style'].'\', '.$now.', \''.get_remote_address().'\', '.$now.')') or error('Unable to create user', __FILE__, __LINE__, $db->error());
 	$new_uid = $db->insert_id();