What is sql injection and how can i use this.

If your code looks something like this: mysql_query('UPDATE users SET first_name="' . $_POST['first_name'] . '" WHERE id=1001'); you would expect the generated SQL to be: UPDATE users set first_name="Liz" WHERE id=1001; But if your malicious user types their first name as: Liz", last_name="Lemon"; -- the generated SQL then becomes: UPDATE users SET first_name="Liz", last_name="Lemon"; --" WHERE id=1001; Now all of your users are named Liz Lemon, and that’s just not cool.

Go to YouTube. Look for Tom Scott SQL Injection. His explanations are succinct and he's super sexy.

you can inject some sql codes on an unsecured input form or get method that has a relation with mysql_query() e.g: php?id=1 mysql_query('select name from namds where id=1') i use order by + a random number to get number of collumns then union select + number of columns as 1,2,3... after finding vuln column u can inject something like php?id=union select 1,password,3 from admin or bruteforcing tables data and columns with havij or sqlmap