Merlin 🤖

Can you guys tell me if you see any major security flaws in this login method, the $user and $password variables are taken straight from html form. public function login($user,$password){ $encrypted_password = crypt($password,"afYHbf765Hmd3asdft1mpoz"); if(1 == mysql_num_rows($result = mysql_query("SELECT * from users WHERE userName='$user' and password = '$encrypted_password'"))){ $_SESSION['user']=$user; $_SESSION['logged_in']=true; //get privelege level $result = mysql_query("SELECT privilegeLevel from users WHERE userName='$user' and password = '$encrypted_password'"); $row = mysql_fetch_array($result); $_SESSION['user_privilege_level'] = $row[0]; return true; } else { $_SESSION['logged_in']=false; if (empty($result)){ echo mysql_error(); } return false; } }