The main problem with your line of code is that it's an open door for SQL injection; a call to get your server hacked. Right in the manual page for the oci_parse()
function you're already using you have a example on how to pass parameters to queries:
$stid = oci_parse($conn, 'begin myproc(:p1, :p2); end;');
oci_bind_by_name($stid, ':p1', $p1);
oci_bind_by_name($stid, ':p2', $p2, 40);
oci_execute($stid);
Your code could look like this:
$stid = oci_parse($conn, "SELECT c1 FROM t1 WHERE c2 = :username AND c3 = :password");
oci_bind_by_name($stid, 'username', filter_input(INPUT_POST, 'username');
oci_bind_by_name($stid, 'password', filter_input(INPUT_POST, 'password');
oci_execute($stid);
... though it's still be a good idea to do error checking on the return values. All three functions above return FALSE
on error and you have oci_error() to fetch an array with last error message.