There are 2 parts you want to consider:
- Finding as much information as you can. about the script
- Actually exploiting it.
Jihnesh was talking about the first part. In the example Jignesh gave, you find out that the script is using MySQL, information about the server / files, and that he doesn’t check the category parameter as an int (because he would do something to treat this situation, instead the query was ran, and the result (expected to be an array) – is probably empty).
There are many methods for this first part, but I recommend you to check sqlmap – it’s a very awesome program I use for checking my websites.
Moving on to the actual “hacking” – the most basic example is the one with the users:
URL: login.php | POST info: user = "admin' OR 1 -- "
$query = "SELECT * FROM users WHERE user="{$_POST[user]}" AND password = {$_POST[pass]}";
SQL: SELECT * FROM users WHERE user="admin" OR 1 -- ' AND password = ''
Result: Selects all the users in the users table
You can also check this tutorial http://www.unixwiz.net/techtips/sql-injection.html
solved Detecting vulnerabilities for SQL injection [closed]