That code is wide open to SQL Injection attack as it lets uder-submitted data near the database without sanitizing it. All user submitted should be sanitized and when using it in a query you should be using prepared statements which eliminate the risk of SQL Injection attack
$stmt = mysqli_prepare($mysqli, "SELECT * FROM product WHERE type = ?");
$stmt->bind_param( "s", $type); // If you were searching for more than one the there would be multiple "s" and variables, "s" means strings, i = integer, and so forth
$stmt->execute();
$stmt->bind_result($col1, $col2); // Depends on how many columns you want to fetch, better if you pulling specific column(s):
// then fetch and close the statement
BTW I don’t know if this will work for it’s untested and I normally use PDO