What is your website? On what back-end script is it running (PHP? JSP? ASP.NET?). Which kind of CMS are you using, if any?
All I can say is that if people can post any code on your site, and it is then executed, your form protection is very, very poor.
Donít click this link!