// if there are any errors, display them
 if ($error != '')
 echo '<div style="padding:4px; border:1px solid red; color:red;">'.$error.'</div>';
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="dbriomra"; // Database name
$tbl_name="login"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// username and password sent from form

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";

// Mysql_num_row is counting table row
// If result matched $myusername and $mypassword, table row must be 1 row
// Register $myusername, $mypassword and redirect to file "login_success.php"
$error = 'ERROR: Please fill in all required fields!';

if the user login with incorrect employee no and password, the message must be show. but it doesn't. please help. Thanks

You are initializing the $error variable to an empty string just before checking whether it contains anything. Initialize it on the beginning of the script and do the check after the checking for correct password.

Also session_register function is deprecated. I recommend you avoid it. Use direct assignment instead:

$_SESSION['myusername'] = $myusername;
$_SESSION['mypassword'] = $mypassword;