What the hell, how is it possible that I got malware at my website?
I have a theory. A nasty computer program infected the website. The way it is done seems Cross-site scripting to me.
Ok, why me? May be because the nasty computer program searches for webpages called webform*.htm for example with this search http://www.google.com/search?hl=en&q=allinurl:+webform.
Ok, why was it possible? Because I created my own forms? That should not be a problem (in theory).
I used the PHP strip-tags function, so there should be no problem (in theory). It was clear that that was not enough (in practice). So I added also the PHP escapeshellcmd function. That little nasty computer program should have used that, because almost all pages where infected at once. It simple could not be a manual edit action.
The most important protection for nasty computer programs is probably a Turing test via a Captcha (or a recaptcha). I think that this combination gives the most effective protection. Allthough nowadays I am not sure about that. Remember that I thought that strip-tags was enough ;-).
Tip: Test your site with the free Acunetix cross-site scripting scanner