How do i secure my login. php page from sql injection attacks?

Question

i was told that my login page is still not secure even if i use the mysqli_real_escape_string function. can you please look at my code and show me a way i could better secure my login. here is the code:

<?php
session_start();
include("includes/config.php");

if(isset($_POST['login'])){
$email = mysqli_real_escape_string($connection,$_POST['email']);
$pass = mysqli_real_escape_string($connection,$_POST['pass']);
$pass = md5($pass);

$get_user = "SELECT * FROM members WHERE user_email='$email' AND user_pass='$pass'";
$run_user = mysqli_query($connection,$get_user);
$check = mysqli_num_rows($run_user);

if($check==1){
    $_SESSION['user_email']=$email;
    $rows_check = mysqli_fetch_array($run_user);
    $activate = $rows_check['activate'];

    if($activate == 0){
        echo "<script>window.open('lock_out.php','_self')</script>";
    }
    if($activate == 1){
        echo "<script>window.open('home.php','_self')</script>";
        $stat = 1;
        $update = "UPDATE members SET online='$stat' WHERE       user_email='$email'";
        $run_update = mysqli_query($connection,$update);            
    }
} else {
    echo "<script>alert('Password or email is not correct!')</script>";
    echo "<script>window.open('index.php','_self')</script>";
  }
}
?>