Have you cheched your server log how the hacker get in ?

Just because your site is hacked, we can't say the script is insecure. You need to check your web server log to know how the hacker got in.

If you have the apache log, let me know, i can look into the problem, few things you need to check are the date of file modification and apache access log in same time.

I don't think this is issue with the script, if it was, it will be our demo site hacked first.