That's because the hacker is sending data directly to your form's action url
server side validation to have any chance of 100% protection from spam or any other malicious code. Just a captcha with no server side validation still leaves you vulnerable to spam and other attacks.
I would recommend adding some sort of captcha test to your form to hopefully stop data from non-humans (bots etc, not aliens
There are plenty of examples on the interweb on how to use regex's in php to validate common form user inputs.