php - Custom function with MySQLi extension issue -

i don't know should wrong query written below this

$username passed form post method, $mysqli connection variable, code:

$mysqli = new mysqli("127.0.0.1", "root", "", "securelogin");  function usernamecheck($username, $mysqli) {         $query = "select username user username = '$username'";         $stmt = $mysqli->prepare($query)         $stmt->execute();         $stmt->store_result();         if($stmt > 1) {             $stmt->close();             return false;         } } 

this function checks if username exists in database

~~~~

i have solved function following code

function usernamecheck($username, $mysqli) {     $query = "select `username` `user` `username` = '$username'";     $result = $mysqli->query($query);     if($result->num_rows != 0) {         return false;     } } 

but is, said, sql injection vulnerable. don't how code non-injectable

your query vulnerable sql injection. please use prepare statement correctly.

$query = 'select username user username = ?'; $stmt = $mysqli->prepare($query); $stmt->bind_param('s', $username); $stmt->execute() or die('error: ' . $mysqli->error); $stmt->bind_result($username); return $stmt->fetch();