The mysql_real_escape_string() function escapes data going into the database, and as such it should be invoked upon the data before it is used in the query. In your snippet above, it would be applied onto the $_POST['username'] variable whilst being assigned to the $username variable. You may also want to take a look into filtering your input data, where you can limit the user's input by validating the data entered. For example, if you'd only like usernames to contain alphanumerical characters, then you can use the ctype_alnum() function. These are basic concepts to enabling user input into your web application, and they are a necessity to learn.
In regards to your query, you could simplify the logic by querying for the username and password, and then use MySQL's COUNT() function to return the number of rows selected. This will also be a more optimised method, because we firstly aren't having to fetch all columns (using the * wildcard, which isn't even needed), and secondly we aren't requiring data to be returned; only the number of selected rows.
You may also want to look into a more modern API, such as MySQLi. In the MySQLi API, you can make use of another escaping method, prepared statements, along with much other functionality not seen in the original MySQL extension.
I'd personally avoid using the stripslashes() function, especially since this is user input, and we don't want to deform it before storing it for data persistence. It's a function that I'd only use if I knew that the HTML tags were well-formed (ie, stripping the already-parsed BBCode tags), and it would be applied upon data output. This is only really needed if you're looking to give a preview of part of the text, where the HTML styling is not needed/wanted. Otherwise, I'd still opt to go with htmlspecialchars().