My guess: if the login is incorrect, then no rows are returned. That means your attempt to call fetchrow_array returns undef, and thus the while loop is never executed at all.

Another note: maybe this is a simplified version of your code, but you should probably check $login to make sure it doesn't contain any characters you don't want. Since it's used directly in the SQL query, a user could possibly use it to inject their own SQL query to be executed.

DBI provides methods to help with that, with things such as the quote() method.

- Matt Riffle