[evo4ever]

I'd do some username validation as well. You've gotta test if the user actually exists in the database. The code which tests the username and password against two db rows for equality is checking if the user exisits yeh? If so, this would be better:

PHP Code:

// Using your $result var.



$found_user = @mysql_num_rows($result);



if($found_user > 0){

// do session and header stuff

}

else {

// print a "user not found" error.

} 

PS: If your not encrypting your passwords in the db then you should.

PHP Code:

// Encrypt the password before it goes in the db:



$password = md5($_POST["password"]); /* you can use crypt() as an alternative. */



// This line of code would be used in the registration script.