A Mysql injection is attack tried by site visitors/users to
get/damage data in databases by taking benefit from poor programming of
websites.An injection attack occurs when a visitor to your site types
something into a form input with the purpose of changing the outcome of
your MySQL query. For example, at a login screen someone may try this
type of attack to gain access to a secure area of the website.

If your query to check the username and password entered by the user was this:

"SELECT * FROM users WHERE username = '".$_POST['username']."' AND password = '".$_POST['password']."'"

Someone could login by using any username and for the password they would type ' OR ''='' which would be placed into your MySQL query changing it to be:

"SELECT * FROM users WHERE username = 'anyuser' AND password = '' OR ''=''"

As you can see, MySQL injection attacks can be pretty serious
depending on the information the person has access to once they are
logged in. It is very important for you to secure your site against
injection attacks. Luckily, PHP can aid you in preventing injection
attacks.

MySQL will then return all the rows in the table and then, depending
on your script's logic, you will probably log them in because there was
a match. Now, in most cases, people have magic_quotes_gpc turned on
(it's the PHP default) which will add backslashes to escape all '
(single-quote), " (double quote), (backslash) and NULL characters. This
is not foolproof though because there are other characters that should
be escaped to be safe.

Preventing Mysql/PHP injections:-

There are php mysql functions to prevent such type of things:

into your queries. One of The function is mysql_real_escape_string().

use Like :- $value = "'" . mysql_real_escape_string($value) . "'";

For integer values dont forgot to use intval() function

You can also use:-mysql_real_escape_string()