Save sqlinjectionform.php as sqlinjectionform2.php.  This page illustrates how mysqli_real_escape_string() cannot fix all problems.

Change the username form field to a userID field by editing the name and id.  You will also need to change the label  Change username variable to userID as well and then change the query to this:

SELECT username FROM member WHERE userID=$userID AND password='$password';

You do not need the single quotes around the $userID variable because it contains a number not text.  The password is a string so does have quotes.  This follows the rules for most programming languages.

Test the page by typing in a user ID of 1 and a password sara.  It should let you in.  Now try it with 1 and bleh.

The hack

To illustrate the hack attempt try logging in with the user ID as this:

1 OR 1=1

and the password as bleh.  You should be logged in even with the wrong password.

The protection

The function mysqli_real_escape_string() will not help because there are no single quotes or other special characters in the variable.  So what the user provided will be inserted into the query resulting in the OR being used as part of that query and allowing the user to log in.

The fix is easy.  Put single quotes around variables inside queries even when they should contain numbers.  Change the query again by putting quotes around the variable:

$sqlResult=mysqli_query($dbconnection, "SELECT salary, email FROM employee WHERE id='$userID';");	

It should now give just the one result.  The stuff after the space is ignored when the string is interpreted as a number.  Be aware that this might cause problems with WHERE conditions which use  the less than or greater than operators.