Whitelisting is usually a lot safer than blacklisting. Start with a few files (jpg, gif, avi, whatever you desire) and expand as you test them. With blacklisting someone might manage to get a perl file or some other script file up and execute it.
Never put plain-text passwords anywhere. One-way hash them (sha1 - sha256) and compare upon login. Never put the password, in any form, in a cookie or otherwise user-trusted environment. If you need to remember the user, store his ID along with a randomly generated string that is in the DB and should be (almost) impossible to guess. Refresh this string on every login.
As for aestetics, please change those colors