I'm pretty sure this code has something wrong with it:
$sql="select * from user where username={$_POST['username']}AND pwd= {$_POST['password']}";
$r = mysqli_query($link,$sql);
if($r)
{
$_SESSION['loggedin']=true;
echo "Welcome". $_POST['username'];
}
Yes, you are exposed to SQL injection. Please learn about preapred statements.
Also, you apparently store passwords in plain-text. That's a security risk since if your database is exposed (due to SQL injection attack, for example, cough cough), all of your passwords could be compromised.
A few links:
