使用准备好的语句，

http://php.net/manual/en/pdo.prepared-声明.php

$stmt = mysqli->prepare("select user_id from users where user_name= ? and password= ?");
$stmt->bindParam("ss",$username,$pass);
$stmt->execute();