I have decided to move over to mysqli as I keep getting flamed when people spot my mysql code :-)

Could someone verify the below is correct, it all works but I just want to make sure I am not doing something stupid or presenting a security risk before I move onto the rest of the site. This is the php for username/password check on login.

<?php
//Start session
session_start();

//Include database connection details
require_once('db_connect.php');

//Array to store validation errors
$errmsg_arr = array();

//Validation error flag
$errflag = false;


// cleanup POST variables
$username = mysqli_real_escape_string($mysqli, stripslashes(trim($_POST['username'])));
$password = mysqli_real_escape_string($mysqli, stripslashes(trim($_POST['password'])));

//Input Validations
if($username == '') {
    $errmsg_arr[] = 'Username required';
    $errflag = true;
}
if($password == '') {
    $errmsg_arr[] = 'Password required';
    $errflag = true;
}

//If there are input validations, redirect back to the login form
if($errflag) {
    $_SESSION['ERRMSG_ARR'] = $errmsg_arr;
    session_write_close();
    header("location: logon.php");
    exit();
}

//Load and run query
$result = mysqli_query($mysqli, "SELECT * FROM auth WHERE username='$username' AND password='$password'");

if ($result->num_rows) {
//Login Successful
        session_regenerate_id();
        //Set session variables
        $member = $result->fetch_assoc();
        $_SESSION['SESS_MEMBER_ID'] = $member['ID'];
        $_SESSION['SESS_USERNAME'] = $member['username'];
        $_SESSION['SESS_FIRST_NAME'] = $member['fname'];
        $_SESSION['SESS_PASSWORD'] = $member['password'];
        $_SESSION['SESS_AUTH_LEVEL'] = $member['auth_level'];
        session_write_close();
        header("location: index");
        exit();
    }else {
        //Login failed
        $errmsg_arr[] = 'user name or password not found';
        $errflag = true;
        if($errflag) {
            $_SESSION['ERRMSG_ARR'] = $errmsg_arr;
            session_write_close();
            header("location: logon.php");
            exit();
        }
    }
mysqli_close($mysqli); 
?>

Many thanks!

Well, you would want to use prepared statements here, because you're not executing a static SQL query - that's what mysqli_query() is to be used for.

So, here's what you would need to do:

1. Don't bother with the // cleanup POST variables section.
2. Change the //Load and run query section to use a prepared statement.

3. First, we want to prepare it: http://php.net/manual/en/mysqli.prepare.php

   $query = mysqli_prepare($mysqli, "SELECT * FROM auth WHERE username=? AND password=?");

4. Then we want to give Mysqli what the ? marks are: http://www.php.net/manual/en/mysqli-stmt.bind-param.php

   $query->bind_param('ss', $username, $password);

Then, use bind_result and fetch (see index at http://www.php.net/manual/en/class.mysqli-stmt.php) to get the result and store into the session variables.