Ryan, thanks for responding so quickly.

What you said is correct but that's not the problem. To test out using evemts in JS a created an HTML link with a URL of a blank string "". When I clicked on it an index of my files appeared! If I click on them I can see the PHP code!

So all my PHP scripts are there for the world to attack me through!

I guess this is a server permissions thing but I tried tying down the directories world permissions and then the pages failed with a server error.

This must be a common problem.

regards,
Ken