Basically, it's a situation where user inputs contain text that can change what your database query actually does. Let's suppose you have a query that uses one input parameter:
$query = "SELECT * FROM some_table WHERE foo = '$input'";
Now, let's suppose a nasty user inputs the value:
x' OR 1 IN (UPDATE users SET user_type='ADMIN' WHERE 1=1 RETURNING user_id) --
Now your PHP code would turn every user in the database into an admin-level user (assuming the attacker knows or has correctly guessed your database scheme), as the value of $query would now be:
SELECT * FROM some_table WHERE foo = 'x' OR 1 IN (UPDATE users SET user_type='ADMIN' WHERE 1=1 RETURNING user_id) --'
This can be prevented by using an appropriate escaping function on any inputs being used in a query, in your current situation being the mysql_real_escape_string() function (which uses a back-slash as its escaping character, much as PHP does when you use it to escape quotes within a quoted string), and you can also use type-casting to make sure numeric values are, in fact, numeric. DB extensions that provide for the use of prepared statements and bound parameters provide a means to let the database interface itself to handle the escaping itself.
$sql = "INSERT INTO some_table (user_name, age) VALUES('".mysql_real_escape_string($user)."', ".(int)$age.")";