Whenever i visit a site, i usually try things like these:

http://www.tuts4you.com/user.php?"><marquee>DigitalAcidWasHere</marquee>

You can type anything after the "> and it will be shown on the site.
I tried using alert and document.write, but the site seems to filter out most of the special characters, like semicolon, comma etc. resulting in an "Access Denied" page =).

Hmm, I'm unable to reproduce that. The site keeps url encoding everything.

I get access denied when I try a single quote.

It's a " (quotation mark ?) not 2 '...

I just copied this into the adress bar and it didn't work...

Ok - let me be more specific

A double quote is url encoded before being echoed into the page and a single quote brings up "Access Denied"

I'm using IE...
Didn't try it yet with Firefox and Opera back then.
It seems it doesn't work with those 2.

with ie it works ... strange

does the browser encode the url? why doesn't ie urlencode?

PHP runs server-side, so it should not be browser-dependent.

I thought (in fact I wrote) the same before I tried it out ...

The problem is that FF and IE encode the url differently before sending them. Check the source
FF:

<form method="post" action="http://www.tuts4you.com/user.php?%22%3E%3Cmarquee%3EDigitalAcidWasHere%3C/marquee%3E">

IE:

<form method="post" action="http://www.tuts4you.com/user.php?&amp;quot;><marquee>DigitalAcidWasHere</marquee>">

IE seems to render the code incorrectly too