mysql_real_escape_string()

Well for one, I would use mysql_real_escape() on any variable you are passing to MySQL. That should prevent any kind of MySQL injection. I would make sure that your passwords are hashed correctly (using md5() or sha1() ). For added security I would salt your encryptions. See this page for more on salts. Beyond that: Don't store password in cookies (using a unique id or some kind of session id), don't allow code tags (such as <script>) in any kind of use input that will be placed on a page, and be sure that users are authenticated on every page. If you would like, you could give us the address of your site and we can look at some possible security flaws.

thankx guys for replying))
i added the following in my login form.
when i try to login in my localhost it works fine.but in server online it doesn`t work.
When i used addslashes instead of mysql_real_escape_string,the function worked in all sectors.
So what is the difference between these two functions,And if iwant to use mysql_real_escape_string how should i make it to work.??

Well this is definitely an improvement! I believe you problem lies in the fact that the passwords in the database aren't hashed using md5(). You need to create a temporary PHP file on your site with just one line of code:
Then all you have to do is go through you your databases passwords and plug them into the md5 function. After that just replace the old password with the new hashed string. (It is important to make sure that the row that holds passwords can handle a hash. If it is a Varchar it needs to be at least 32 in length). Next, you might need to know if your host has magic_quotes_gpc on (Chances are your host has it on). If so, on the server you will need to change the code so that before you mysql_real_escape_string() a string that you pass it through stripslashes:
The reason for this is that when magic_quotes_gpc is on, most strings will automatically be escaped already (but not escaped for MySQL!). You will need to use [code]stripslashes()[/icode] before you use any MySQL escaping functions on it, so that the string is unescaped. This may sound confusing (In fact, it's been deprecated in PHP 5.3 and will be removed in PHP 6), but I believe this could be your solution.

@FlashCreations,in da web when registering i hash the passwords with md5().thats why when login i was using
the problem started after i added
and how will i know if the magic_quotes_gpc is ON??
also i tested sending comments using
mysql_real_escape_string it worked.
it seems the problem is in the Authorization.
help me in this plz

You will know if magic_quotes_gpc is on by asking your host (If they have the latest version of PHP it shouldn't be!). That might not be it. The only way for us to help you is if you post your code.

here is my login code
]

yes that is also a corect statement but u also need to do this for the registration as well because it is actually inserting into the database there is more of a risk

Your code is looking fine. Do you have any issue?