I don't think it is a good idea to post the mysql error on failing.
or die("MySQL Error: ".mysql_error());
When it comes to this, I'd say the fewer informations you returned the better. Giving information that could tell the person attempting the login whether it is the username or the password that has failed, is not good, this goes as well as telling the user which sort of database you're using, how it is queried, etc.
Further more realize that the most frequent way security in such situations is overcome, is through social engineering, and in that case, it doesn't matter how you hash data etc. (not that you shouldn't) Just to say that security is a lot, and it does not limit it self to how you store and retrieve data.
For instance, is the login done through an encrypted line? Is there any enforcement on the password strength the user has? what happens after the user is logged in, how do you track logged in users vs. those merely visiting the site? How do you prevent session takeovers, etc. I'm not an expert on the topic, but it is a broad topic. Perhaps you just wanted a comment on the code you posted, in which case my top paragraph really should have been all you needed to read ;) along with Crowe T. Robot's answer :)