I plan on coding my own PM system sometimes in the future using php and mysql (it is for a firefox extension, so I can't use any pre-written ones). I understand that you may not be able to reveal too much for security reasons, but I was wondering if you can tell us whether or not this was a SQL-injection attack? Once it is fixed, would you be able to tell us how it was done?
One of my main concerns with the system is that I will overlook some injection approach, so I keep an eye out for things like this to make sure I can prevent it.