<?php
// Secure: Using a prepared statement with placeholders.
$stmt = $mysqli->prepare("SELECT * FROM users WHERE user = ? AND password = ?");

// Bind the user input to the placeholders.
$stmt->bind_param("ss", $_POST['username'], $_POST['password']);

// Execute the statement
$stmt->execute();
// ... continue with fetching results
?>