Validate input strings on the server side Exapmle:
$con=mysqli_connect("localhost","user","password","db");$username=mysqli_real_escape_string($con,$_POST['username']);$password=mysqli_real_escape_string($con,$_POST['password']);$sql_command="select * from users where username = '".$username;$sql_command.="' AND password = '".$password."'";