TekZen

Hi, Meself and a friend are working on a site and we havent done any php before but for some strange reason we choose to do it in php, below is the login script I was hoping for some suggestions or feedback on how secure/ not secure it is against attack ? also what would be the best method for garding against a brute force attack ?(best way to limit login attempts) <?php session_start(); //------------------------------------------------------------------------ //connection to the database select table include('connect.php'); //----------------------------------------------------// //To Protect against Sql injection on mssql remove qoutes $login = @str_replace("'", "''", $_POST['login']); $password = @str_replace("'", "''", $_POST['password']); $password = md5($password); // To protect SQL injection Strip backslashes $login = @strip_tags($login); $login = @stripslashes($login); $password = @strip_tags($password); $password = @stripslashes($password); //------------------------------------------------------// //SQL query try{ @$query = "SELECT * "; @$query .= "FROM Customers "; @$query .= "WHERE Username = '$login' AND Password = '$password'"; //execute the SQL query and return records @$result = mssql_query($query); //display the results if($row = mssql_fetch_object($result)) { @$_SESSION['SESS_Participent_ID'] = $row->Memberz_ID; @$_SESSION['SESS_Business'] = $row->Businesses_ID; @$_SESSION['SESS_FIRST_NAME'] = $row->firstnamez; @$_SESSION['SESS_LAST_NAME'] = $row->lastnamez; //============================================================================ //============================================================================ @header("location: member-index.php"); } else { @header("location: login-failed.php"); } } catch(PDOException $e) {echo 'Login Failed. Please try again.';} ?>