On yahoo questions, I was getting help with my php login system, and a prominent answerer (lol) on yahoo questions had this to say:

"Using $_SESSION to store your login is a bad idea!
When the user logs-in, you compare his entry with values in your DB. There, you also have his email.
The general idea is that your user's table contains user, pwd, email AND "sess", a field of 50 chars that will be filled, AT SIGN-IN, with the session number. Then, if you want any detail of the user, use $_SESSION and check it against the DB, field "sess"."

If I'm doing it wrong, I'd like to know how to fix my login system. I didn't understand exactly what he said though. I'm not sure how to fix it. Here is my code, tell me what you think please:

<?php

$dbhost = "localhost";
$dbname = ""; // I erased these 3 on purpose
$dbuser = "";
$dbpass = "";

mysql_connect ( $dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error());
mysql_select_db($dbname) or die(mysql_error());

session_start();
$username = $_POST['username'];
$password = $_POST['password'];

$query = "select * from members where username='$username' and password='$password'";

$result = mysql_query($query);

if (mysql_num_rows($result) != 1) {
echo '<br><div align="center"><font size="4" color="white">Invalid username or password. Please try again.</font></div><br>';
include "sign_in.php";

} else {
$_SESSION['username'] = "$username";
include "my_account.php";
}

?>