Although this is not the most authoritative site, I had to go here to find out what an SQL injection was and they have something on mitigation. Might give you some ideas.

http://en.wikipedia.org/wiki/SQL_injecti...

And of the easiest things is to make sure to parametrize all of your queries, do not use any inline SQL!

Get off the botted NT network. they will then be committing a felony intrusion in plain provable sight, best idea would be to go off line for a while, remove the NT exploit, set your system up to redirect your unwanted moderator to FBI dot com and let them try to figure it out.

You need to validate ALL data entered before accepting it or even trying to read it. That means ANY data etry from anyone MUST be filtered to prevent scripts, lins to scripts, and any possible type of code. READ the php manual and the mysql manual.