$dbh->prepare('SELECT * FROM users WHERE username = "'.$_POST['username'].'" AND password = "'.$password.'"');
Thank you for comment. Users install it to their server. So it can be close system.
But i am open for suggestions for SQL injection
I believe in PHP you can use '?' in the prepare statement part and later user bind to assign either a string or integer to each item. For instance your line would become
$select = $dbh->prepare('SELECT * FROM users WHERE username = ? AND password = ?);
if (!$select->bind_param ("ss", $_POST['username'], $_POST['password'] ) do_error_handling_and_exit();
if (!$select->execute ()) do_error_handling_and_exit();