I did some quick searching and found some stuff about logon security in PHP but nothing was direct enough for this question. Using PHP, what are some recommened ways to make sure your pages are only access by someone who logged in correctly?

I am currently using MySQL which has a table named "users" and it contains their logon names, proper names, and encrypted passwords.

Right now I have every page include login.php as one of the very first lines. If the user is logged in then they will see no ouput from login.php. If they are not then it displays the login form and terminates loading anything further.

The user inputs their login name and password and then I run this query
PHP Code:
$query='SELECT * from users
       WHERE username="'.$username.'" AND password=password("'.$password.'")';
$sqlresult=mysql_query($query) or die(mysql_error());
$rowcount=mysql_num_rows($sqlresult); 
As far as I can tell, I should only get 1 row if the user successfully loggedin and Zero rows if they did not. I then proceed to set a SESSION variable like below. Then every page checks to see if that SESSION variable is set before it loads any of the page.
PHP Code:
$_SESSION['valid_user'] = $row['FullName']; 
Now I understand that there are probably many levels of security, everything ranging from no security, to light security, to your Pentagon (multi-billion dollar budget) security. My web app runs on a private Intranet of less than 150 people and only 4 people know it exists and have access to it. So I don't think I need heavy duty security. But I'm just not certain if this is good enough.