I see you check for sql injection of the loginname:
$loginName = mysql_real_escape_string($loginName);
Do you filter bad content for the submitted password?
edit: now that I look at it, you are sending the POSTed login name straight to the SQL, aren't you?
this:
new user($db,$_POST['username']);
should be this:
new user($db,$loginName);
If I'm reading this correctly.