For a piece of code to be open to SQL injection you simply need to take user input (typically from a form) and pass it to the database without escaping it.
As the input is not escaped the user can break out of the intended query.
The most basic example of this in PHP/MySQL is as follows:
$mysqli->query("SELECT * FROM some_table WHERE some_column = '{$_POST['some_field']}'");
In your example it would be passing the posted username/password to a database query without escaping it.
For protecting from SQL injection in mysqli
you can either use real_escape_string
or prepared statements
.
For a login system generally it is best practise to query the database and see if a match is found rather than looping through every username and password stored to see if there is a match. Imagine if there were a million user accounts. That way you also don't need to transfer username/passwords from the database as you can just SELECT 1
and look at the number of rows returned. This makes for cleaner, faster, and more secure code.