Can I have the url of the website to take a look?
On confirm.php, I see you have:
<form name="ecart_checkout_form" action=""<?php echo $_SERVER["PHP_SELF"]; ?>" method="post">
it should just be:
<form name="ecart_checkout_form" action="" method="post">
Same thing on your 131_cvrs.php page... a lot of times you have forms with:
<form name="RCUK_9_ATC_<?php echo $row_xed4_05["ProductID"]; ?>" method="POST" action=""<?php echo $_SERVER["PHP_SELF"]; ?><?php echo (isset($_SERVER["QUERY_STRING"]) && $_SERVER["QUERY_STRING"] != "")?"?".$_SERVER["QUERY_STRING"]:""; ?>">
That should just be:
<form name="RCUK_9_ATC_<?php echo $row_xed4_05["ProductID"]; ?>" method="POST" action="">
I'd start by going through all of your <form> tags and make sure they don't have any php code in them. Definitely shouldn't have any references to $_SERVER["QUERY_STRING"] on the page at all at this point.