Well, to expound a bit further, what the bots are looking for is the ability to create a link anywhere on the WWW they can put one. If your Notes section can be used to create a link, you'll want to have some control over who does this and why.
And, to try and answer this:
It's just your basic HTML form with a textarea area. That would not permit HTML, would it?
You'll have to decide that and write code to prevent HTML input. A plain vanilla "textarea" allows the user to put whatever they want into it (unless you write Javascript to prevent this), and PHP will, by default, use whatever data the user provides in your handling code. You should never trust user input to be what you expect ... sooner or later it will not be, and the results can be disastrous.
We may have stumbled onto the answer to your question. No, it's not an SQL injection attack. Yes, apparently, it's simply an HTML-injection attack, as near as I can guess.