I got tested my app from the testing company. And they gave MySQl injection vulnerabilities with filenames and message as "name of an arbitrarily supplied URL parameter". I dont know what it means?
It means that you used $_GET or $_REQUEST for database criteria when it may have been inappropriate. If the script only performs SELECT queries then this is not a problem (provided the code is resistant to SQL injection attacks), but data modification should only be performed via POST requests.
I think the problem is solved by now, but here is my bit of information for this.
GET /contact?**1'**=1 HTTP/1.1
Host: www . mysite . com
A single quote was submitted in the name of an arbitrarily supplied URL parameter, and a general error message will returns.
Issue remediation
The most effective way to prevent SQL injection attacks is to use parameterized queries (also known as prepared statements) for all database access.