or if you want to do this risky and none secure thing try this:
$query="select * from members where user='".$_POST['user']."'and
pass=password('$pas')";well first you must check errors in mysql then storing in session also it is better to use: $user=mysql_real_escape_string($_POST['user']); then write the query
