I should also note that I kind of do the same thing with the username as well to avoid injection. This is a rough query of what I do for the query.
$query = sprintf( "SELECT * FROM users WHERE username_enc='%s' AND password='%s'", md5( $_GET['username']), md5($_GET['password'] ) );For any other inputs that I get from a form I use the mysql_escape_string function in PHP.