Quote from HostGator Support:
"I regret you are experiencing an issue. Unfortunately, coding beyond the scope of our support. SQL injection is a relatively old and well-known exploit; an experienced developer should be able to write code that avoids sql injection vulnerabilities.
Individual SQL transactions are not logged, but by examining the URLs requested by the attacker a developer experienced with the software being used should be able to obtain some idea of what the attacker was able to do in certain situations.
For example, the request below was not successful but the portion of the URL that contains '1=1' is a common attempt to login to a site vulnerable to SQL injection without a password."
I have blocked a wide number of IP addresses but the attacker is probably using multiple proxies.