This isn't a new exploit.
And here's roughly how it works:
It hunts down forms with a .php extention.
The source is analyzed and the name of each field is extracted.
Values are assigned for each field name. These Values are actually MySql queries and sendmail arguments.
The page is reloaded with the querries in place and the PHP engine processes them.... and executes everything.

The simplest solution is to name the forms with a custom extention such as .pqr and create an apache directive to process these through the php engine.

The exploit is spidering for .php because that's what it requires. It will completely overlook your forms.