PHP - How to prevent sql injection | prevent hacker using sql injection attack

$query_login = "SELECT * FROM user WHERE username = '" . mysql_real_escape_string(addslashes($username)) . "'";