Avoid SQL Injection Login Form

Good morning, everyone,

I’m new to anti-sql security Injection. I always learned only to validate the inputs and then use them in the query, always with mysqli_query and mysqli_fetch_array.

I have the following code to check whether the login is correct or not (works without problem), can you tell if this avoids sql Injection? If not, what action should I take? Thank you for your time and help

if(isset($_POST['login'])){

$link = $_SERVER['HTTP_REFERER'];
$base_url = strtok($link, '?');              // Get the base url
$parsed_url = parse_url($link);              // Parse it 
$query = $parsed_url['query']; 

if(!isset($query)){
$redireciona=$link;
}else{
$redireciona=substr($link, 0, strpos($link, "failed") - 1);
}

$user = trim($_POST['sp_uname']);
$pass = trim($_POST["sp_pass"]);
$stmt = $ligadb->prepare("SELECT id_user, u_user, u_nome, u_password, u_perfil FROM users WHERE u_user=? LIMIT 1");
$stmt->bind_param('s', $user);
$stmt->execute();
$stmt->bind_result($user_id, $user, $nome, $password, $perfil);
$stmt->store_result();
if($stmt->num_rows == 1)  //To check if the row exists
    {
        if($stmt->fetch()) //fetching the contents of the row

        {
            if(password_verify($_POST["sp_pass"], $password)){
             $_SESSION['user'] = $user;
             $_SESSION['perfil'] =  $perfil;
             $_SESSION['id'] =  $user_id;
             $_SESSION['nome'] =  $nome;    
            }else{
                 if(!isset($query) || $query==="failed"){
# Redirect user to error page
header('Location: ' . $redireciona . '?failed');

}else{

if (strpos($link, 'failed') !== false) {
 header('Location: ' . $link);
 }else{
        header('Location: ' . $link . '&failed');
 }
    }
            }

           }
      header('Location: ' . $redireciona);

}
else {
    if (strpos($link, 'failed') !== false) {
 header('Location: ' . $link);
 }else{
        header('Location: ' . $link . '&failed');
 }
}
     $stmt->close();
}
else 
{   

}
$ligadb->close();