compromised site

Based on the injected files, and it being hosted on GoDaddy, I would take a look at Sucuri.net's blog posts about the continuing infection of websites on GoDaddy's shared servers over the past month.

I would start here: http://blog.sucuri.net/tag/godaddy

-Josh

This is not sql injection. This is a worm, and getting this level of access with a worm on a custom site isn't realistic. I know this because I write exploits that worms use to spread, and I'm telling you its defiantly not sql injection under MySQL (MS-SQL is a different story, the attacker has xp_cmdshell()).

Never the less you should scan your site for vulnerabilities using both w3af(free) and Wapiti(free), or Acunetix($), or the best tool NTOSpider($$$).

First of all I would make sure all of your libraries are up to date. Any machines with FTP access must be scanned with an anti-virus. I know GoDaddy only has FTP access, because they obviously don't care about security. There are worms that sniff for FTP logins and then infect the site, these are very successful worm because of idiots like GoDaddy. If you don't want to spring for the cash, running AVG on your local system which is better than nothing.

Usually when you are infected Google will throw a browser warning and they will tell you the name of the worm. If you search for the name often times someone has done analysis and that will tell you how it is spreading.

Change the credentials for your database, and ftp logins and update the security salt etc in your app/config/core.php.

Although as Fabian said, if you are on a shared server you are at the mercy of everyone elses code also. Do as much as you can and let GoDaddy know about it also.

You might also code a helper which specifically look for this code and strips it from your files when they are executed.