I'm running some tests for this login system im writing with my friend and we already had written our code with escaping, and not preparing. We're making sure it is invulnarable to anything put as a post_user and post_pass variable. Can you please check?
$_POST['post_user'] = mysql_real_escape_string($_POST['post_user']);
$_POST['post_pass'] = mysql_real_escape_string($_POST['post_pass']);
$query = mysql_num_rows(mysql_query("SELECT * FROM `users` WHERE
`user`='".$_POST['post_user']."' AND `pass`='".md5($_POST['post_pass'])."' AND
`rank`='0'"));
if($query == 1) {
$_SESSION[$this->host().'-us_user'] = $_POST['post_user'];
$_SESSION[$this->host().'-us_pass'] = md5($_POST['post_pass']);
$_SESSION[$this->host().'-us_token'] = $this->generateToken(16);
}