pandaEater 0 Light Poster

I'm new to AJAX, PHP, and Javascript and I'm trying to learn more about them by setting up a user login for a website. I've gotten it working but there are a few problems I'm having trouble solving. Right now the login works, but I'd like to check if the login was successful and replace the input fields for the login with text. I've been trying Javascript regular expressions to check the responseText but I can't seem to make it work. My current attempts are commented out in the javascript/ajax code section below.
Also, in the php file how do I check if the USERNAME wasn't found so I can echo something like "username not found"?

And lastly, I haven't researched this on google yet so you don't need to answer this but, any opinions on the best way to prevent injections on this particular login example?

Here's the code:

HTML cutout:

<div id ="login"> <!--replace with welcome "name" if login succesful -->
       <form>
          Email: <input type="text" id="email" />
          Password: <input type="password" id="password" />
          <input type="button" value="Login" onclick="login(email,password)"/>
       </form>
        <div id="loginResponse"></div> <!--where incorrect username/password would go-->
        </div>

Javascript/AJAX:

<script type="text/javascript"> 

function login(email, password)
{
	if (email.value == ""){
  		document.getElementById("loginResponse").innerHTML="Invalid username and password... "; //change this
  		return;
  	} 
	if (window.XMLHttpRequest){// code for IE7+, Firefox, Chrome, Opera, Safari
  		xmlhttp=new XMLHttpRequest();
  	}else{// code for IE6, IE5
  		xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
  	}
	xmlhttp.onreadystatechange=function()
 	{
  		if (xmlhttp.readyState==4 && xmlhttp.status==200){
  			//var response = (string)xmlhttp.responseText;
  			//var isFound = new RegExp("Welcome");
  			//var welcome = /Welcome/.test(response);
  			//if (welcome) or if(isFound.test(response) ?? so far both have evaluated to true no matter what
   			document.getElementById("loginResponse").innerHTML=xmlhttp.responseText;
    	}
  	}
	xmlhttp.open("GET","login.php?username="+email.value + "&password="+password.value,true);
	xmlhttp.send();
}
</script>

PHP:

<?php 
$link = mysql_connect('mysqlsite', 'myname', 'mypassword'); 
if (!$link) { 
    die('Could not connect: ' . mysql_error()); 
} 
mysql_select_db(database1test); 

$user = $_GET['username']; 
$password = $_GET['password'];

$sql="SELECT * FROM TESTTABLE WHERE USERNAME = '" . $user . "'";

$result = mysql_query($sql);

if (!$result) {
    die('Could not query:' . mysql_error());
}

//check to make sure username/email is found echo something

while($row = mysql_fetch_array($result)){
	if($row['PASSWORD'] == $password){
		echo "Welcome, " . $row['F_NAME'];
	}else{
		echo "Invalid username and password. <a href=\"#\" id=\"createAccount\">create new account?</a>";
	}
}
	
mysql_close($link);
?>

Thanks for any help!