如何防止SQL注入中的PHP和MYSQL代码

Question

我在这里有一些PHP和MYSQL代码，我不知道如何防止SQL注入，当我在网上查找文章和示例时，这对我来说太混乱了，所以有人可以帮助我一步一步地修复我的代码吗？

poststatus.php：

ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);

include("connect.php");
include("auth_login.php"); 

// just define at the top of the script index.php
$username = ''; 
$username = $_SESSION['username'];

$body = ''; 

if(isset($_POST['bts'])) {

if (empty($_POST["body"])) {
echo"You didn't enter anything . <a href= profile.php>Try again</a>";
} else {
$body = $_POST["body"];
$sql = "INSERT INTO posts (username, body ) VALUES ('" . $username . "', '" . 
$body . "')";

if(mysqli_query($conn, $sql)){                                  

echo"<a href= home.php>Post added to your timeline.</a>"; 
} else{
echo "<br>error posting . <br> <a href= profile.php>Try again</a> " . 
mysqli_error($conn);
} 
} 
}

process.php：

//check if form is submitted
if ( $_SERVER['REQUEST_METHOD'] != 'POST' || 
     ! isset($_POST['Register'])) 
{
    // looks like a hack, send to index.php
    header('Location: index.php');
    exit;
}

GLOBAL $username;
GLOBAL $pw;
GLOBAL $pw2;
GLOBAL $email;

include("connect.php");

            if(isset($_POST['Register'])) {

               if (empty($_POST["username"])) {
                echo"fill in username to sign up";
                } else {

                if (empty($_POST["pw"])) {
                 echo"fill in password to sign up";
                } else {

                if (empty($_POST["pw2"])) {
                echo"confirm password to sign up";
                 } else {

                if (empty($_POST["email"])) {
                     echo"fill in email to sign up";
                 } else {

                if ($_POST['pw'] == $_POST['pw2']) {
                 $username = mysqli_real_escape_string($conn, $_POST["username"]);
                 $pw= mysqli_real_escape_string($conn, $_POST["pw"]);
                 $pw2= mysqli_real_escape_string($conn, $_POST["pw2"]);
                 $email = mysqli_real_escape_string($conn, $_POST["email"]);

                 $result = mysqli_query($conn ,"SELECT * FROM users WHERE username='" . $username . "'");

                    if(mysqli_num_rows($result) > 0)
                    {
                    echo "Username exists . <a href= index.php>Try again</a><br /> ";
                    } else {

                       $result2 = mysqli_query($conn ,"SELECT * FROM users WHERE email='" . $email. "'");

                       if(mysqli_num_rows($result2) > 0)
                       {
                       echo "email exist";
                       } else {

                       $pw = password_hash($pw, PASSWORD_BCRYPT, 
array('cost' => 14));           

                       $sql = "INSERT INTO users (username, pw, email) 
VALUES('" . $username . "', '" . $pw . "', '" . $email . "')";

                       if(mysqli_query($conn, $sql)){                                  
                       // if insert checked as successful echo username and 
password saved successfully
                       echo"Registration successful . <a href = index.php> 
Sign in.</a>"; 
                       }else{
                       echo mysqli_error($conn);
                       }   

                    } } } else{
            echo "The passwords do not match.";  // and send them back to 
registration page
            }
}
}}}}