mysql_real_escape_string() is fine is your the only person on that server otherwise you need to have a resource identifier that is stored in a variable when you connect to the database.
$dbh = mysql_connect(... blah blah blah
now variable $dbh is a handle to the db so that
$xyz = mysql_real_escape_string( $whatIwantToEscape , $dbh);
and the same goes for queries, you would need
$myResult = mysql_query( $dbh , $myQueryString );
On other matters, security of your code is very bad, you should be sanitizing inputs in to an array that you then use and know is safe and not use the $POST array directly and you should operate a check to ensure that the login came from your site and check that the $POST['submit'] button is present.
Reliance on the $_SERVER['REQUEST_METHOD'] to test if the request is a POST request is not good enough, a post request could be coming from anywhere, you want to know that the post came from your site, the method I use is fairly simple
Using a whitelist and not using the $_POST array to control things...
$whitelist = array(
"username"=>FILTER_SANITIZE_STRING,
"password"=>FILTER_SANITIZE_STRING,
"timeframe"=>FILTER_SANITIZE_STRING
);
foreach($whitelist as $field=>&$value){
$value = isset( $_POST[ $field ] ) ? filter_var( $_POST[ $field ] , $value ) : false;
if(!$value ) header("Location: /index.php");
}
if( $hash!=$whitelist['timeframe']) header("Location: /index.php"); // send to home page
then when you are sure that your values are sanitized, you can use the values in your whitelist in your script.
You might want to look at page salting as a way of marking your pages that your server issues, something that can be tested on form submission (login) and a check to ensure that your server issued the page and it is genuine.