I see this code to be vulnerable. What might be the cause?

Question

if (isset($_POST['Login'])){

$UserName=$_POST['UserName'];
$Password=$_POST['Password'];

$login_query=mysqli_query($GLOBALS["___mysqli_ston"],"select * from voters where Username='$UserName' and Password='$Password' and Status='Unvoted' and Year='1st year'") or die(((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)));

Answer 1

You should look into using Prepared Statements, rather that catenating results from your input directly. Otherwise you're vulnerable to SQL Injection

Answer 2

Anytime that you're using the variable that a user submitted and don't protect against it, you're vulnerable.

As rogue said, you can use Prepared statements, or use some version of quoting, such as pdo's:

$password = $db->quote($password);