Thank you both for the responses.

>I just recently dealt with this on some software my employer had purchased from a third party vendor years ago. I cleaned the tables too, but the next morning all the values were back. There are programs that will try to automatically execute the code on your site over and over again.
>
>I set up SQL Profiler to trace what was going on. Once I saw what they did, it was very simple, I modified two things. I denied select permissions on the sysobjects and syscolumns tables of the login that was using the site, and then I found the web page they were using and validated the parameter being passed in via the url - because they added a long string to the end. This prevented it from actually hitting the database at all.
>
>Essentially the code I dealt with grabbed all the tables from sysobjects and all the columns from syscolumns, put them in a cursor, and executed an update on every field in every table as it walked the cursor. If the field was of the right data type and there was enough room left in the field it would insert the string similar to what you have.
>