some notes...
You're not checking if "username" or "password" actually exist before using them. This will cause errors if they're missing (also consider that, in your current code, [font=monospace]$password[/font] will never be empty - even if the user left the field blank).
I don't know how you'd prefer to handle errors/user messages, but you should choose one way. Right now, you're saving the messages for later in some cases and simply dumping output to the browser in others.
Why does your [font=monospace]login()[/font] function require a username and password, when it does nothing except call [man]session_start/man? Why have this function at all?
Don't use the mysql_*() functions. They are deprecated. You should use [man]mysqli[/man] or [man]PDO[/man] instead.
Why select all columns from your matching rows when your function doesn't use any of it? You could [font=monospace]SELECT 1 ...[/font] instead. If you plan to use the info later, you should write out the column names explicitly (using * in production is almost never the best approach).
Don't use session_register(). It is also deprecated and has some major caveats in its use that can cause unexpected problems. Use the $[man]_SESSION[/man] superglobal instead.
Maybe something like this?
<?php
session_start();
# This assumes this script does nothing but process your login form.
# check required fields
if( empty( $_POST['username'] ) || empty( $_POST['password'] ) ){
$msg = 'Please fill out both fields to log in.';
}else{
# this example uses mysqli.
$DB = new mysqli( 'DB_host','DB_username','DBpassword','DB_name' );
# check if login is correct:
$success = check_login( $_POST['username'],$_POST['password'],$DB );
# assign appropriate message:
$msg = $success?
'Thank you for logging in': // success
'Wrong username or password.'; // failure
# you might do other stuff based on success or failure here;
# e.g., save user info to the $_SESSION superglobal, etc..
}
# user message
print $msg;
/**
* this function checks a username and password against database records.
*
* @param string $username The username to check
* @param string $password The password to check
* @param object $DB The database connection object
* (This example uses the mysqli extension [http://php.net/mysqli])
* @return bool true if username+password matches a DB record; flase otherwise.
*/
function check_login( $username,$password,mysqli $DB ){
# use a prepared statement; this helps prevent SQL injection attacks
$query = $DB->prepare( 'SELECT 1 FROM users WHERE username=? AND password=?' );
# do your hash (*just* md5() isn't the best approach, BTW)
$password = md5( $password );
# bind the submitted username/password to the statement
$query->bind_param( 'ss',$username,$password );
# query the DB and check number of rows returned to determine success
$result = $query->execute();
return ($result->num_rows === 1)?
true: // 1 row means you found a match
false; // otherwise, the check failed.
}