If you don’t know what is SQL injection, you should read this first.

However,  if you authenticate users in a similar approach as below, you have already met with it, but you are not yet aware of it.

mysql_query("SELECT * FROM users WHERE

username='" .$_POST['username'].

"' AND '" .

" password='".$_POST['password']."'";);

Well, these are old school tricks and old fashion attacks, therefore, I will not digg into the attack side.

Quick and Dirty Prevention

Simply escape the user inputs with built-in mysql function mysql_real_escape_string. Something like below:

mysql_query("SELECT * FROM users WHERE username='". mysql_real_escape_string($_POST['username']).
"' AND password='". mysql_real_escape_string($_POST['password']) ."'";);