Okay. Let's learn 
what is sql injection first.
SQL injection is not php specific. It affects all server side scripting languages. Read the prevention part of the above post to have a brief understanding on what is required.
The first thing you should do is to store password hash instead of password to your database. PHP has lots of built-in one-was hash implementations. You can use 
md5 or 
sha1 pretty easily.
Steps are given below.
On New User Registration stage,
- User enters username and password.
Code: Select all $password_hash = md5($_POST['password'] . "some random text"); 
 
- You store $password_hash to database
On User Login stage,
- User enters username and password.
- You read username and password_hash from database
Code: Select all if ($_POST['username'] == $db_username && md5($_POST['password'] . "some random text") == $password_hash){
     // correct entry
} 
 
Also, verify user input (especially the ones related to username/password) for internal SQL commands such as SELECT UNION AND OR, etc...
With these simple steps, I'm sure you can get rid of most of the common hacking attempts.
Good luck!!!!