Because magic_quotes has also been removed from php, there's no longer any protection against sql special characters in external string data breaking the sql query syntax, which is how sql injection is accomplished (your example query isn't putting any external data into the query, but you likely have queries that do based on your previous posts.)

The simplest solution, that eliminates php code and sql syntax, rather than has you spending your time converting it, that's also secure, is to skip the mysqli extension altogether, and use the PDO extension. Also, use prepared queries when supplying external/unknown data to an sql query statement (while this adds a single php statement per query, it also simplifies the sql query syntax), use implicate binding with a prepared query (supply an array of input values to the ->execute([...]) method call), and use exceptions for error handling (this adds one statement, when you make the database connection, and eliminates the or die(...) statements.) When you make the connection using PDO, set the error mode to exceptions, set emulated prepared queries to false, and set the default fetch mode to assoc.

You should also separate the database specific code, that knows how to query for and fetch data, from the presentation code, that knows how to produce the output from the data. To do this, put the database specific code above the start of the html document, fetch all the data from a query into an appropriately named php variable, then test/loop over this variable at the appropriate point in the html document. If in the future, you switch to use an api to get data, you won't have to touch the presentation code in your html document, just fetch the data and put it into the php variable that the html document is expecting as its input.

While this sounds like a lot of work, it results in the simplest, secure, overall solution.