Yes, Google for mysql injection but ALSO Google for XSS (or Cross Site Scripting.) This is another form of injection. The tech support is **probably** correct, but sometimes they just throw an answer out when they don't have one. Ask yourself:
Do you filter input? Do you have register globals off? If I input, say "my name" into one of your forms, is it echoed back somewhere when I submit, like
echo "$_POST['my_name']";
If the answer to the first two is no or the third yes, this may not be how your site was hacked, but it's definately vulnerable.
Since you are going to be a while figuring this out, here is a simple test to see if it's your programming or not.
Get your site back up, view source of the pages, save them as static files. Not PHP. Disable any forms, etc. that would require server side programming. Remove ALL PHP scripts, all of them.
Upload **just** the static files to your site. Immediately change your passwords, and use **only** SFTP to connect to your site.
This serves two purposes: static html pages cannot be hacked from public page input, and you will have content on your site while you figure it out.
So if it gets hacked again when only static pages are on your site, it's something else. Don't overlook an important one: if you are on shared hosting, the hack may come from some other insecure site on the same box. It may not even be you.
A side note that most people don't know: when you connect to a site using "regular ole' FTP," the u and p is sent in clear text, with each file you transfer. Someone sniffing the data on a server can capture these. Most people get by without ever getting hacked this way, but it does happen.
