Well you can use PDO or mysqli. The most interesting point is that you can use prepared statements with both.
If you used mysql before, as in your code, then mysqli is easier to understand for you.
The manual page of PHP has good examples for mysqli with prepared statements.
First of all you need a mysqli connection:
$mysqli = new mysqli("host", "user", "password", "database");
When you got your query, replace all external inputs with a ?
.
$q = "SELECT * FROM `dbusers` "
."WHERE `username`=? "
."AND `password`=PASSWORD(?) "
."LIMIT 1";
And create a prepared statement:
$stmt = $mysqli->prepare($q);
Then you can easily bind your params. Because in your case both are strings, you have to use a s
for each param.
$mysqli->bind_param('ss', $_POST['username'], $_POST['password']);
And then just execute the statement:
$stmt->execute();
With methods like fetch() you can get the result(s).