what do you think about this login procedure? is it pretty safe?
When they login i first check that the username exist, if it does i grab the salt (every user have unique salt) from the user, that i re-hash with posted password
$pass = hash('sha256', $salt . $posted_password);
and then i just compare with
$check = mysql_query("SELECT * FROM users WHERE username = '".$username."' AND password = '".$pass."'") or die("MySQL Error: ".mysql_error());
This is not safe.
Use parametrized queries, or use mysql_real_escape_string to make sure you prevent SQL injections.
Other than that, that is a very common login technique, and is basically the "standard".
Link here about more Injection security: http://stackoverflow.com/questions/60174/best-way-to-stop-sql-injection-in-php
I don't think it is a good idea to post the mysql error on failing.
or die("MySQL Error: ".mysql_error());
When it comes to this, I'd say the fewer informations you returned the better. Giving information that could tell the person attempting the login whether it is the username or the password that has failed, is not good, this goes as well as telling the user which sort of database you're using, how it is queried, etc.
Further more realize that the most frequent way security in such situations is overcome, is through social engineering, and in that case, it doesn't matter how you hash data etc. (not that you shouldn't) Just to say that security is a lot, and it does not limit it self to how you store and retrieve data.
For instance, is the login done through an encrypted line? Is there any enforcement on the password strength the user has? what happens after the user is logged in, how do you track logged in users vs. those merely visiting the site? How do you prevent session takeovers, etc. I'm not an expert on the topic, but it is a broad topic. Perhaps you just wanted a comment on the code you posted, in which case my top paragraph really should have been all you needed to read ;) along with Crowe T. Robot's answer :)