Hello, it's enough, you are comparing username and password from user to database, the only two input that can identify the user are username and password, but make sure you are making the username unique.

you can also add login failed counter and assign the count in session. Define how many failed login would you allow, before requiring an account reset or captcha.

Test your login script with the most common login hacks e.g. type OR'' on the password field, without typing any username... if the script shows the mysterious user as logged in, then you need to sanitize more..

As long as this is not a higly confidential banking or government site this might be enough. Hopefully you have done the password hashing as per good practices. You might want to check this link.

Other aspect of security is input data validation/sanitization (username and password) to prevent sql injections.

mysql_real_escape_string() is a must, you need to use it almost on every variable, in which value is taken from the user, to prevent SQL Injection.
Even if you have million users, if an action is applicable on one user, it will be applicable for all :)

Escaping values using mysql_real_escape_string or similar (i.e. mysqli_real_escape_string) function greatly minimizes a possibility of sql injection by escaping dangerous characters. Some other things you have to do are (not a comprehensive list):

• put quotes arround any query parameters - even numbers
• or use prepared statements, but this method is slightly less efficient
• validate input values (if you expect a number check it with is_numeric, if you expect an integer within known range check for the range, check strings for maximum lenght, whitelist values if possible)

Also use newer mysqli extension instead of old mysql which might soon get deprecated.

More on this topic is here and here.

And more on login security.

Personally, I'd use prepared statements (PDO flavour), BUT you need to validate the data too. All data from POST vars should be strings anyway, but you can check for integer or float or date formats, etc. If any of the inputs fall outside the allowed parameters, flag an error - do not run the query.

One more thing: if password is incorrect, do not tell that to the user; if username is incorrect, do not tell that to the user. Allways tell them that login failed, but not the reason. This way you give no clue to potential attacker.