Can a hacker hijack a website via injecting a malicious script into a php contact form?

[CharlieN]

My website was hijacked and I dont know how - it does have a php contact form but it doesn't hook up to a database so no sql!