Unfortunately this is all too common, MySQL injections are a likely cause.
You should get into contact with your host and see if there isn't a message from them about any sort of compromised server or others having the same issue. It has happened to me and while it takes forever for them to fix, if the attack is big enough the host sometimes applies a patch to remove the malicious scripts.
You may also want to revert to backup / take the site down or otherwise make sure that you are not being blacklisted by Google. If you leave malicious code on your page, it's a very real possibility that the next time Google crawls you and finds it your visitors will be hit with the big red "THIS SITE HAS MALICIOUS CODE" in their browser (a few modern browsers pull from Google's blacklist). This is a huge pain in the ass, suffice it to say. If you do get blacklisted, you're going to need to use Webmaster tools to request a re-crawl once you have yourself sorted.
The best thing to do is to keep off-site backups. There are a couple of Plugins which make this effortless. Keep one locally for ease of access and one to Amason S3.
Also, keep your registrar separate from your host. Oftentimes during a massive attack your hosting provider's admin tools will become unresponsive, or just plain deactivated because so many people are trying to jump ship at once. With a different registrar (hopefully unaffected) you can switch your DNS to a new host that you install a new instance of your site using the backup.
vicinityweb
kmessinger
Modestas