I'll take a look into this, but it wouldn't explain why the hacker didn't cleanly deface the main page and left some odd escaped tags - this is what leads me to believe it was done ONLY using the form.
if he was using the form then he used sql injection which i provided the fix above for.
no new data in the database asking with permanently modifying the page says otherwise.
Is apache the only other potential beach?