It's vulnerable by itself.

Hi man,
Your code is vulnerable itself to SQL Injection attacks by $username var!

and then, it's not useful and may generate incorrect logs for normal site visitors too.

Farsi minevisam ke aberoomoon joloye khareji ha nare!
Ensafan chera nadaaneste ye kari mikonin mizarin to net ke morede
tamaskhore Khareji ha gharar begirim?

Say konin class haye mofid va kar dorost ro baraye sarbolandy vatan ba name irani montasher konin.

Be omide sar bolandie iranian dar donya.
Pish nahad midam classe "Tic Tac Toe" ke bazie DOOZ ast va tavasote ye irani sakhte shode ro bebinid.

phpclasses.org/package/6622-PHP-Tic ...

Ba tashakor, Mehran.

$username variant is for example
you can change it
inam farsish
dadash in kamelan doroste va in tabe'e username fagat vase mesale ;
vase inke jelosh gerefte beshe mitunid az class police sql injection man estefade konid
ba tashakkar
omid

i test it and fix bug
but this is not bug and just simple example of using class in script

To fix it you should use mysql_real_escape_string() which is not used at all.
It welcomes SQL injection attackers to attack.

I'm sure now this class have not a sql injection bug.
i test and fix it .
if like this class rate to this.

You're kidding right? You don't seem to grasp any of the basic escaping techniques (or why they should be done anyway) and you're publishing this as a "solution" to those problems?
Sorry, but you're only making the web an UNsafer place by publishing this "code".

The class is still possible to SQL injection ($br). It's the same issue as your police class. As already said above, you shouldn't get rid of dangerous characters but simply escape them.

I wonder if Manuel checks recommended classes before nominating them!? Innovation Award surely gets a lot of attention, and security classes which should protect you against injection attacks really shouldn't open a security hole by itself.