You have not stated if this is a functioning website, OR a PHP-based blog?
SQL Injection is a result of vulnerability in either PHP provided by your host, or insecure PHP add-ons that you may installed.
In the event the PHP has been hacked, all the deleting and replacing in the world is NOT going to remove the "hack". It'll just return on the new pages.
In many instances, PHP takes precedence over htaccess.
Do you have an offline (local) backup of your website saved from before the hack occurred?
Just delete all the online files and upload the backup files.
If no offline backup, than you'll likely need to re-create your site from scratch.
In any event, you'll still need to locate and coorect the PHP vulnerability