To exand on @heurteph-ei’s explaination regarding SQL injections:
Your query is
select * from hppage where (hpnr = $hpnr and pagelink = '$page1')
$page1 is directly set to the value of a GET parameter. So by setting any arbitrary value as a GET parameter, one can (and sooner or later some automated script will or already has) e.g. set it to
'); truncate hppage; --
making the SQL query:
select * from hppage where (hpnr = $hpnr and pagelink = ''); truncate hppage; --')
which then becomes interpreted by your SQL server as two commands separated by a
; with a comment at the end.
And the second command deletes all values in the hppage table.
And even worse if the SQL user also has access to other tables, anyone on the internet can not only delete and modify all data there, but also read it this way.
(To limit the impact a bit, I deleted all links to your site above)