Is this PHP login technique safe considering SQL injection?

I'am investigating a site that was written long ago by some PHP developer, and I'd like to know if the login technique he used was safe or not.

Here is the way he did it:

$username='';
$username = escapeshellcmd($HTTP_POST_VARS['user']);
$pwd = escapeshellcmd($HTTP_POST_VARS['pw']);

$loginerror=false;

if ($logout=="1")
{
  closesession($s_id);
  $username='';
  $logged=false;
}

$logged=checksession(session_id(), $ipaddr);

if ((!$logged) && ($username!=''))
{
        //$username = escapeshellcmd($HTTP_POST_VARS['felhasznalo']);
        //$pwd = escapeshellcmd($HTTP_POST_VARS['jelszo']);
        if (checkuser($username, $pwd, DOM))
            {
            if (sessionstore(session_id(), $username, $pwd, $ipaddr, $datum, DOM))
                {
                $logged=true;
                }
            }
        else
            {
            $loginerror=true;
            ;
            }       
}
if ($logged)
    {
    $username=getsessionuser(session_id());
    $remember=getremember($username, DOM);
    }
?>

function checkuser($u, $p, $d )
{
$sql_ell='SELECT PWD FROM USERS WHERE A开发者_如何学运维CTIVE=1 AND USERNAME="'.$u.'" AND DOMAIN="'.$d.'"';
$eredm_ell= mysql_query($sql_ell);
if ($eredm_ell)
    {
    $domainnumrows=mysql_num_rows($eredm_ell);
    if ($domainnumrows==1) 
        {
        $egy_sor = mysql_fetch_row( $eredm_ell ); 
        $pwd_in_table=$egy_sor[0];
        if ($pwd_in_table==md5($u.$p))
            {
            return true;
            }
        } // rows
    } // ered
return false;   
} // func

Is this safe?

If I see correctly, the only check done on username is escapeshellcmd. That is NOT enough. Again, if I see correctly, it gets put into this query:

$sql_ell='SELECT PWD FROM USERS WHERE ACTIVE=1 AND USERNAME="'.$u.'" AND DOMAIN="'.$d.'"'

where you can do all sorts of nasties.

So no. it's not safe.