to expand a bit on what dws is trying to say, and to make your code safer, substiute this part of your code:

my $SQL    = "SELECT username, password FROM user WHERE username =    
+ '$username'";
my @row;
@row = $dbh->selectrow_array($SQL);
[download]

with the following:

my $sth = $dbh->prepare("SELECT username, password FROM user WHERE    
+  username = ?");

$sth->execute($username);
# execute substitutes $username in place of the question
# mark above, correctly formatted, with all bad news
# characters removed by the DBI

my @row = $sth->fetchrow;
[download]

Hope that helps.