I have the following auth mechanism:

PHP Code:
<?php
     session_start
();
     if(
$_POST["auth"] != null && $_SESSION["username"] == null)
     {
         
$username $_POST["username"];
         
$password $_POST["password"];
         
$users mysql_query('SELECT id, admin FROM users WHERE username = '.$username.' AND password = PASSWORD("'.$password.'") AND deleted = 0 LIMIT 1');
         if(
mysql_num_rows($users) > 0)
         {
             
$_SESSION["username"] = $username;
             while(
$user mysql_fetch_array($users)){$_SESSION["admin"] = $user["admin"];}
             
header("location: /");
         }
         else{
header("location: /?message=Invalid credentials. Please try again.");}
     }
     elseif(
$_SESSION["username"] != null){header("location: /");}
     else
     {
 
?>
 <p>
     corylogic is not currently available to the public. Only authorized beta testers may access the site in its present state.
 </p>
 <p>
     If you have been invited to participate in the corylogic beta testing program, please log in below.
 </p>
 <p>
     Thank you for your cooperation.
 </p>
 <form method="post">
     <fieldset>
         <legend>Credentials</legend>
         <label for="username">Username</label><input type="text" id="username" name="username"/>
         <label for="password">Password</label><input type="password" id="password" name="password"/>
     </fieldset>
     <fieldset>
         <legend>Actions</legend>
         <input type="submit" name="auth" id="auth" value="Log In"/><input type="reset" value="Clear"/>
     </fieldset>
 </form>
 <?php
     
}
 
?>
The trouble is, the "invalid credentials" error message is always displayed, regardless of whether the credentials are indeed correct or not.

Any suggestions? Thanks in advance.