I fully agree with ajt about the password issue. Hopefully you will have configured your database to reject any connections from the outside world, otherwise you would have a *big* security hole as the passwords do not appear to be stored in an encrypted form.

A technique which I have used in the past is to have your CGI program send an email to the administrator whenever an invalid password is entered. Make sure the email contains the username, password, time, and originating IP address. The 'Login failed' page can then include this information, details of the Computer Misuse Act, and notification that the hacking attempt has been recorded. Obviously this won't stop a determined hacker, but might scare the script kiddies and at least you'll know if someone's trying to break in when your mailbox starts filling up...

Cheers,

JJ