Could be SQL injection somewhere... What is the URL? I can take a quick look to see if I can find SQL injection holes...
One thing you can do is create a database user with read-only access and make sure that is the one used on the front end so that SQL injection won't be possible for updating the database anyway.
How old is the site? What version of Dreamweaver did you use to build it? Dreamweaver Recordsets used to have SQL injection vulnerabilities, but those have been fixed for a couple of years now.
Given your explanation I think SQL injection is the most likely candidate.