Untitled

<?php
$msg = "";
if(protect($_POST['login']))
{
$username = protect($_POST['username']);
$password = protect($_POST['password']);

if ($username&&$password)
{
session_start();

$query = mysql_query("SELECT * FROM users WHERE username='$username'");
$numrows = mysql_num_rows($query);
$password = md5($password);
if($numrows!=0)
{
  // code to login
       $row = mysql_fetch_assoc($query);
       $dbusername = $row['username'];
       $dbpassword = $row['password'];
       $activated = $row['activated'];
       $admin = $row['admin'];
       if ($activated == '0')
       $msg = "<div class='error'>You have not activated your account. Please check your e-mail to do so.<br><a href='index.php?action=Resend'>Click here to resend your activation e-mal.</a></div>";


     //check to see if they match !
     if ($username == $dbusername && $password == $dbpassword )
      {
      if ($activated == '1')
       {
       $_SESSION['username']=$username;
       if ($admin>=1)
        $_SESSION['admin']=$admin;
           header("Location: /quarters.php");
        mysql_query("UPDATE users SET online='online' WHERE username='$username'");
       }

     }
     else
    $msg = "<div class='error'>Incorrect password!</div>";
}
else
$msg = "<div class='error'>That user doesn't exist!</div>";
}
else
$msg = "<div class='error'>Please enter a username and password.</div>";
}

// <table valign='top'> <tr> t<d> </td><td> </td><td>   </td><td>  </td><td></table>    </td>
echo "
<p>
<center>
<form action='index.php' method='POST'>
<fieldset id='login'>
<legend><b>Log-In</b></legend>";
if ($msg)
echo $msg;

if (!$_SESSION['username']){
    echo "Username: <input type='text' name='username' value='$username'>
    Password: <input type='password' name='password'>
    <input type='submit' name='login' value='Log in'>";
    }
else
echo "You are already logged in. <a href='/quarters.php' target='_self' title='Quarters'>Click here to continue to your quarters.</a>";
    echo "</fieldset>";
?>