I have created a login form and coded the php file to log in the member. I have coded each page of the member's area to authenticate the user; however, anyone can still access the pages by simply typing in the URL. The codes are not returning any errors when run on the server.

Here is the code to process the login form:
<?php

$dbhost='myserver';
$dbuser='user';
$dbpass='pass';

$conn = mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql');

$dbname='databasename';
mysql_select_db($dbname);


session_start();
$username = $_POST['username'];
$password =md5($_POST['password']);
$sql = "select * from table where username='$username' and password='$password'";
$result = mysql_query($sql);
if (mysql_num_rows($result) !=1) {
$error = "Login failed";
} else {
$_SESSION['username'] = "$username";
$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
header('Location: [mydomain.com...] .$username. '.php');
}


?>

as you can see, each member will be directed to their own page through the header, and that works perfectly bringing up their gallery.

Here is the code I put at the top of all members pages:

<?php
session_start();
$newip = $_SERVER['REMOTE_ADDR'];
if (!isset($_SESSION['username']) ||
empty($_SESSION['username']) || $newip!= $_SESSION['ip']) {
include "logout.php";
}
?>


I have put this at the top of the page before the <html> tag, maybe that is my mistake; I am quite new at coding for members sections.

Also, as of right now, security is not a major concern as the only info stored in the db is the username and password and the members pages are galleries of pictures for the Bride and Groom and any guests they give their event password to (it's for a photography business); however, I do want to eventually expand the galleries to be able to take orders from page visitors, so I would appreciate if anyone could tell me of any major security issues I should deal with now, so I don't miss them at a later expanssion.

Thanks,
Mike