Sounds like it could be SQL Injection, they simply inject SQL queries into another part of your site or even the address bar, they may have learnt about the structure of your databse. The best thing you can do is learn about SQL Injection and defend yourself against it