SQL Injection Basics: How to prevent your website from being hacked
Say you hired a programmer that really didn't know what he or she was doing, but could code just enough to get by as a "programmer". Say he or she didn't understand that you need to secure variables, and left them unsecured. Do you know what happens next? Yes, you probably guessed, your website could be hacked and most likely will be!
Hackers love to find exploits in code, and will abuse those exploits to gain access to the website. They find it to be fun to be able to get into the website. They love the challenge and won't stop until they get in. If you don't secure your variables they will ultimately get into your website!
How to secure your variables? Well this topic is generally too big for only one discussion however I'll try to provide as much information as possible. You need to escape your $_POST, $_GET, $_SESSION and all other variables you are using.
This is easily done by the mysqli_real_escape_string (do not use mysql extension, it's deprecated as of PHP 5.5.0)
If you allow for special characters to be inputted, and then displayed you must look into the htmlspecialchars function.
Additional security can include:
Disallowing special characters such as >, <, '
If an input is an integer making sure to use the int function, is_numeric function, or preg_replace function to strip all other characters except for integers
Not exposing the database details (columns/rows), prevent error messages from appearing on the front end
Stripping all characters except letters with preg_replace function (the preg_replace function can do a lot of things)
Stripping tags with the strip_tags function
Using PDO and prepared statements
There's much more to securing your PHP website other than what is listed here, this is just the basics. There are many ways and methods, choose what works best for you and always stay up to date with any exploits that are found.