A Mysql injection is attack tried by site visitors/users to get/damage data in databases by taking benefit from poor programming of websites.An injection attack occurs when a visitor to your site types something into a form input with the purpose of changing the outcome of your MySQL query. For example, at a login screen someone may try this type of attack to gain access to a secure area of the website.

If your query to check the username and password entered by the user was this:

"SELECT * FROM users WHERE username = '".$_POST['username']."' AND password = '".$_POST['password']."'"

Someone could login by using any username and for the password they would type ' OR ''='' which would be placed into your MySQL query changing it to be:
 

"SELECT * FROM users WHERE username = 'anyuser' AND password = '' OR ''=''"

As you can see, MySQL injection attacks can be pretty serious depending on the information the person has access to once they are logged in. It is very important for you to secure your site against injection attacks. Luckily, PHP can aid you in preventing injection attacks.

MySQL will then return all the rows in the table and then, depending on your script's logic, you will probably log them in because there was a match. Now, in most cases, people have magic_quotes_gpc turned on (it's the PHP default) which will add backslashes to escape all ' (single-quote), " (double quote), (backslash) and NULL characters. This is not foolproof though because there are other characters that should be escaped to be safe.

Preventing Mysql/PHP injections:-

There are php mysql functions to prevent such type of things:
into your queries. One of The function is mysql_real_escape_string().

use Like :- $value = "'" . mysql_real_escape_string($value) . "'";

For integer values dont forgot to use intval() function