Hi I'm starting programming PHP last two weeks ago,. I wondering what is the best procedure for user validation, My problem first was, when the username and password was mismatched, the message i wanted to display was not showing, by reviewing the algo, the page was loaded itself, so it flush all variables data,

So recently I decide to use $_SESSION, after I used this Global Function, It works.

My steps here;
First I need to check if the $_SESSION['flg'] is set and true or false
Second, if not set or equal to false, then the welcome message appear, but if its true the
message will show "Invalid User name and password". Then when it success the page will direct to main page.

But I'm asking if there is other procedure to make it better?
Thanks in advance and I'm sorry for my English Grammar ['hehe'].

here is my code if there are someone needed.



//This will show above the login page.
if (isset($_SESSION['flg']) == true){
    $message = "Username and Password didn't match";
    $message = "Welcome to SSI - School Information and Management System";

//Important so that if success the authentication it will go to main page
if (isset($_POST['submit'])){

        <title>SSI - School Information and Management System</title>
    <link rel="stylesheet" href="css/loginStyle.css">
    <script type="text/javascript" src="javascript/jquery.js"></script>
    <script type="text/javascript" src="javascript/jFunction.js"></script>
    <link rel="icon" type="image/ico" href="http://localhost/sims/images/newSSILOGO.ico"/>

            <div id="headMessage">
            <script type="text/javascript">   
                hScroll('#headMessage', 500, 2500);
            //Script for above message.

             global $message;
             echo $message;

<div id="container">

<form method="post" action="login.php">
    <input type="text" id="tbUserName" name="username"><br/>
    <input type="password" id="tbPassword" name="password"><br />
    <input type="submit" id="submit" name="submit" value="Login >>">

    if (isset($_POST['username']) || isset($_POST['password'])){
    $username = $_POST['username'];
    $password = $_POST['password'];
    $str ="SELECT * from login_rf where username='".$username."' and password='".$password."' LIMIT 1";
    $result = mysql_query($str, $conn);
    if(mysql_num_rows($result) == 1){ 
       $foundUser = mysql_fetch_array($result);
        $_SESSION['userid'] = $foundUser['user_id'];
        $_SESSION['name'] = $foundUser['name'];
       echo "You have been successfully login.";
        header("Location: main.php");
        $flg = true;
        $_SESSION['flg'] = $flg;
        echo "Invalid Username and Password.";
        header("Location: login.php");