[Security help with login]

Hi,

Meself and a friend are working on a site and we havent done any php before but for some strange reason we choose to do it in php, below is the login script I was hoping for some suggestions or feedback on how secure/ not secure it is against attack ?

also what would be the best method for garding against a brute force attack ?(best way to limit login attempts)

 

<?php
session_start();
//------------------------------------------------------------------------
//connection to the database select table
include('connect.php');

//----------------------------------------------------//
//To Protect against Sql injection on mssql remove qoutes

$login = @str_replace("'", "''", $_POST['login']);
$password = @str_replace("'", "''", $_POST['password']);
$password = md5($password);

// To protect SQL injection Strip backslashes
$login = @strip_tags($login);
$login = @stripslashes($login);
$password = @strip_tags($password);
$password = @stripslashes($password);
//------------------------------------------------------//

//SQL query
try{
@$query = "SELECT * ";
@$query .= "FROM Customers ";
@$query .= "WHERE Username = '$login' AND Password = '$password'";

//execute the SQL query and return records
@$result = mssql_query($query);

//display the results
if($row = mssql_fetch_object($result))
{
  @$_SESSION['SESS_Participent_ID'] = $row->Memberz_ID;
  @$_SESSION['SESS_Business'] = $row->Businesses_ID;
  @$_SESSION['SESS_FIRST_NAME'] = $row->firstnamez;
  @$_SESSION['SESS_LAST_NAME'] = $row->lastnamez;
//============================================================================

//============================================================================
    @header("location: member-index.php");
}
else
{
  @header("location: login-failed.php");
}
}
catch(PDOException $e)
{echo 'Login Failed. Please try again.';}
?>