> is this secure? iv tried simple injections on it and they havnt worked.
The only way this could be more insecure is if the entire SQL query was provided by the user (rather than just part of it).
Out of curiosity, what simple injections have you tried? Every one I can think of should work just fine and alert you to the vulnerability.
> $login_check = mysql_num_rows($sql);
As a side note, it's best to name result sets something like $result instead of $sql. The misleading variable name can cause confusion, as this code demonstrates. You can't use mysql_num_rows() on an SQL statement.
> if (!isset($_SESSION['username'])) {
> session_register('username');
> $_SESSION['username'] = $username;
> }
There's no need for session_register(). Also, it's nice to be able to consider session data safe. When you assign tainted data to a session variable, you prevent this.
> header('location: login.php?id=85');
The Location header requires an absolute URL, not a relative one.
To help prevent SQL injection, you need to always filter your data on input and properly escape your data on output. When sending data to a MySQL database, this means using mysql_real_escape_string().
For more information, see:
http://shiflett.org/articles/security-corner-apr2004
http://phpsec.org/projects/guide/3.html#3.2
http://www.unixwiz.net/techtips/sql-injection.html