[I assume that you meant $mysqli is mysqli connection.]
Although the execution of stmt1 (the last of your three queries) is safe, the multi-query function you wrote is very unsafe. Running something like
userQuery("'; delete from user; select * from user where username="");
will actually delete all users from your user table. Assuming $username represents raw user input without proper escaping, the consequences can be catastrophic.
You could possibly improve the above and do the escaping on your own using mysqli::real_escape_string, but there are many more sophisticated ways to do hacks like one above. Prepared statements are all in all a better solution.
4
solved plain mysql prepare statement prevent injection attack?