php_practice/exam151/index.php

<?php 
// How to escape SQL Injection

$con = mysqli_connect('localhost', 'example_user', 'Kolosnjaj4321!');
mysqli_select_db($con, 'example_database');

if(isset($_POST['username']) && isset($_POST['password'])){
    $username = $_POST['username'];
    $password = $_POST['password'];

    if(!empty($username) && !empty($password)){
        $query = "SELECT `id` FROM `users` WHERE `username` = '" . mysqli_real_escape_string($con,$username). "' AND `password` = '" .mysqli_real_escape_string($con,$password) ."'";
        $query_run = mysqli_query($con, $query);    

        if(mysqli_num_rows($query_run) >= 1){
            echo 'Login success';
        } else {
            echo 'Invalid user or pass';    
        }
    }
}


?>

<form action="index.php" method="POST">
User: <input type="text" name="username"> <br>
Pass: <input type="text" name="password"><br>
<input type="submit" value="Submit">
</form>