Nice, but I see an error.
Code:
//Protect against mysql Inject
$username = stripslashes($username);
$password = stripslashes($massword);
$username = mysql_escape_string ($_POST['username']);
$password = mysql_escape_string ($_POST['password']);
You use the stripslashes function on $username and on $password (by the way, you misspelled $password for the second stripslashes function) but then you bypass this by using mysql_escape_string on the $_POST data. Your code should read like this:
Code:
//Protect against mysql Inject
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_escape_string ($username);
$password = mysql_escape_string ($password);