you mean Cross site scripting?
Perhaps they have cross-site scripting and SQLi confused? Certainly SQLi is, as its name implies, the injection of malicious code into the database. The end result can vary depending on the code the databse allows to be executed, but can lead to compromise of user acounts, deletion of data, and all sorts of nasty things...
Cross site scripting (XSS) can take some of the forms of SQLi in that some XSS attacks can plant code, ready for the next visitor, but we usually think of url-redirect exploits as described here as XSS attacks.
If these guys are confused, after the event, about the nature of the attack, then it might be wise of them to get someone who can understand the difference, and its a bit surprising that they show so little understanding after the event... I hope they haven't "left it to the developers" to fix it.