COMMENT: Your code is using a bad practice: You give a *different message* for bad user name than you give for bad password.
For hackers, this makes their job easier. They just try many many user names until they get one that says "bad password" (Verkeerd wachtwoord) and then they keep using that user name while they test many many passwords.
Might I suggest a better alternative?
$gebruikersnaam = mysql_real_escape_string($_REQUEST['gebruikersnaam']);
$wachtwoord = sha1($_REQUEST['wachtwoord']);
$sql = "SELECT 'okay' FROM gebruikers " .
" WHERE gebruikersnaam = '$gebruikersnaam'" .
" AND wachtwoord = '$wachtwoord' ";
$result = mysql_query( $sql ) or die (mysql_error());
if ( mysql_num_rows($result) == 0 )
// best would be to redirect them back to the login page
echo "Bad username or password.";
Now the hacker might have the user name *OR* the password correct, but unless both are correct he gets the same message, and so much less help to the hacker.