Week 2 Assignment - Insecure Login

session_start();

if (isset($_REQUEST['userid']) && isset($_REQUEST['password'])) {
  // if the user has just tried to log in
  $userid = $_REQUEST['userid'];
  $password = $_REQUEST['password'];
include "db/db_connect.inc";
$query = 'select * from customers' 
           ." where username='$userid' "
           ." and password='$password'";
  $result = mysql_query($query);
  $num_rows = mysql_num_rows($result);
  if ($num_rows > 0)  {
    // if they are in the database register the user id
    $_SESSION['valid_user'] = $userid;    
  }//end if rows
  mysql_close($db_conn);
}

  if (isset($_SESSION['valid_user']))  {
    echo '<h2 style="color:green;">You are logged in as: '.$_SESSION['valid_user'].' </h2>';
    echo '<p>You can <a href="logout.php">Log out</a> now.</p>';
  }
  else 
  {
    if (isset($userid))   {
      // if they've tried and failed to log in
      echo '<h2 style="color:red;">Sorry, could NOT log you in. Please check that your
password is made up of alphacharacters, and underscores.</h2>';
	  }
    else 
    {
      // they have not tried to log in yet or have logged out
      	echo '<h2 style="color:red;">You are not logged in.</h2>';
	 }
    
    // provide form to log in 
    echo '<form method="get" action="auth.php" name="login">';
    echo '<pre>   <label for="userid">Userid: </label>';
    echo '  <input type="text" name="userid" /><br /><br />';
    echo '   <label for="password">Password: </label>';
    echo '<input type="password" name="password" /></pre>';
    echo '      <input type="submit" value="Log in" />';
    echo '</form>';
  }