Anything within the $_COOKIE array can easily be spoofed and become an SQL Injection, it is still user input, so you would need to sanitise the variable before inserting it into your SQL Query.
Also, your column calls are ambiguous, you won’t need to use AS.
Example, in this query:
PHP Code:
$sql = "SELECT m.mid AS mid,
m.username AS username,
m.email AS email
FROM members AS m
WHERE username = '" . mysql_real_escape_string($username) . "'";
Your field names when used within mysql_fetch_assoc() are going to be:
username, email, and mid.
And they would be exactly the same if you just used the column names without the alias:
PHP Code:
$sql = "SELECT m.mid, m.username, m.email
FROM members AS m
WHERE username = '" . mysql_real_escape_string($username) . "'";
They would still be: 'mid', 'username', and 'email'.