PHP SQL injection prevention

Question

how to prevent sql injection by using escape string or other method?? i do have some codes, but i not sure how to do? any help?

<?php
                            if (isset($_POST['submit'])){
                            session_start();
                            $username = $_POST['username'];
                            $password = $_POST['password'];
                            $query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
                            $result = mysql_query($query)or die(mysql_error());
                            $num_row = mysql_num_rows($result);
                                $row=mysql_fetch_array($result);
                                if( $num_row > 0 ) {
                                    header('location:dashboard.php');
                            $_SESSION['id']=$row['user_id'];
                                }
                                else{ ?>
                            <div class="alert alert-danger">Access Denied</div>     
                            <?php
                            }}
                            ?>

Answer 1

Use PDO and not the old mysql function which is deprecated and will be removed in the future:

$conn = new PDO("mysql:host=$host;dbname=$dbname", $user, $pass);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

$sql = "INSERT INTO table ( field1, field2, field3)
                 VALUES ( :field1, :field2, :field3";

$q = $conn->prepare($sql);
$q->execute(array(':field1'=>$field1,
                 ':field2'=>$field2,
                 ':field3'=>$field3
                 ));

Answer 2

you can pass these two POST variables in escape method

 $username = mysql_real_escape_string($_POST['username']);
 $password = mysql_real_escape_string($_POST['password']);