Secure Login Script guidance

Question

I want my login to be super secure or at least secure but I need help with my register script. what's the next step to making this script a secure login script? I have the login and register part, I just need the secure part.

include('configdb.php');
if(isset($_POST['submit']))
{
 //whether the username is blank
 if($_POST['username'] == '')
 {
  $_SESSION['error']['username'] = "User Name is required.";
 }
 //whether the email is blank
 if($_POST['email'] == '')
 {
  $_SESSION['error']['email'] = "E-mail is required.";
 }
 else
 {
  //whether the email format is correct
  if(preg_match("/^([a-zA-Z0-9])+([a-zA-Z0-9._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9._-]+)+$/", $_POST['email']))
  {
   //if it has the correct format whether the email has already exist
   $email= $_POST['email'];
   $sql1 = "SELECT * FROM user WHERE email = '$email'";
   $result1 = mysqli_query($mysqli,$sql1) or die(mysqli_error());
   if (mysqli_num_rows($result1) > 0)
            {
    $_SESSION['error']['email'] = "This Email is already used.";
   }
  }
  else
  {
   //this error will set if the email format is not correct
   $_SESSION['error']['email'] = "Your email is not valid.";
  }
 }
 //whether the password is blank
 if($_POST['password'] == '')
 {
  $_SESSION['error']['password'] = "Password is required.";
 }
 //if the error exist, we will go to registration form
 if(isset($_SESSION['error']))
 {
  header("Location: index.php");
  exit;
 }
 else
 {
  $username = $_POST['username'];
  $email = $_POST['email'];
  $password = $_POST['password'];
  $com_code = md5(uniqid(rand()));


  $sql2 = "INSERT INTO user (username, email, password, com_code) VALUES ('$username', '$email', '$password', '$com_code')";
  $result2 = mysqli_query($mysqli,$sql2) or die(mysqli_error());

Answer 1

Seems like it's vulnerable to SQL injection. You can prevent it and here's the guide on how to prevent parameter escape string using mysqli_real_escape_string

https://stackoverflow.com/questions/4034441/sql-injection-attack