How to prevent SQL injection?

Hey guys,

Could you help me understand how to implement

mysql_real_escape_string

to prevent injection in this code ?

<?php

    if(loggedin()){
        echo "You are already logged in.";
    } else {
        if($_POST['submit']){
            if($_POST['username'] && $_POST['password']) {
                $username = $_POST['username'];
                $password = $_POST['password'];
                $password = md5($password);
                $res = mysql_query("SELECT * FROM users WHERE username='$username'");
                if(mysql_num_rows($res) == 0){
                    echo "Utilizator inexistent, click <a href='index.php?act=register'>aici</a> pentru inregistrare.";
                    exit();
                }
                $row = mysql_fetch_assoc($res);
                if($row['password'] == $password) {
                    if(@$_POST['remember' == "on"]) {
                        setcookie('username', $username,time()+36000);
                        echo "You have been logged in,<a href='index.php'>click here</a> to continue.";
                    } else {
                        $_SESSION['username'] = $username;
                        echo "You have been logged in,<a href='index.php'>click here</a> to continue.";
                    }
                } else {
                    echo "Incorrect password.";
                }
            }
        } else {
            
      
?>