I keep getting told by people my code (https://github.com/LaughingQuoll/Administrator-Control-Panel) is vunerable to SQL injection. That all great but I dont understand how to fix it. I think I fixed in in the index.php file but I dont know. Could someone please take a look over it and suggest how I can fix it or if I did fix it with my recent commit. Thanks.
While this is not a code review site, but a question and answer site, I would like to point out that as long as you are doing things like this....
$result = mysqli_query("SELECT * FROM members WHERE username='" . $uername . "' and password = '". $password."'");
in your code where you are concatenating values into your code without first passing them through the proper escape functions, you are definitely vulnerable to SQL injection. You're also vulnerable to human error (forgetting to escape or escaping incorrectly).
Even though here you do pass the value into mysqli_real_escape_string you're doing it before the connection to the SQL server is established, and thus before the charset is negotiated between the client and server, which means you are still be vulnerable to SQLi.
Caution
Security: the default character set
The character set must be set either at the server level, or with the API function
mysqli_set_charset()for it to affectmysqli_real_escape_string(). See the concepts section on character sets for more information.
Not going to bother doing a full audit on your code here, but I am going to point you to How can I prevent SQL injection in PHP? and also https://stackoverflow.com/a/12202218/1878262 for more details on why character set negotiation is still important to preventing SQLi.