SQL Injections are the act of injecting arbitrary SQL code into a query tricking the application into doing something unintended. This means an attacker could gain administrator privileges without a password or even delete records.
To prevent SQL Injection's you must check and sanitize any user input. If a text field is supposed to contain numbers make sure the user data is actually a number.
if(!is_numeric($_POST['number'])) die('Please choose a number.');
Sanitizing data before inserting it into a database means escaping any characters that may trick the query. Using addslashes() is helpful but might not be enough. For MYSQL using the mysql_real_escape_string() function makes user data safe.
$sql="SELECT * FROM users WHERE username='$username' AND password='$password'";