Can anyone see any problems in my php login script that would allow someone to use sql injection techniques to gain access ?

or any other problems for that matter (reguarding the method i use to store/verify the hash/password)?

$luser = username passed to the php page
$lpword = password passed to the php page

i recommend using a function like htmlspecialchars
or htmlentites or addslashed on $luser, so no special chars would be added

you could add this to verify:

Hi

Just for some background ... if you're not filtering $luser before passing it to the DB then yes, there are issues. By including an apostrophe in that string, that finishes the first set of quotes. Then arbitrary SQL can be included. Finally, we have to deal with the last quote, so mysql supports three different types of comments: the '#' character, the MS-SQL style '--' delimeter, and the C-style '/* and */'. So $luser could be something as trivial as

"foo'; drop database bar; --"

which will silently drop the db if privilege allows ... however, using different techniques, it may be possible to actually circumvent the login script, by causing an update statement to be run to set password to a known value for a given user, allowing a second attempt at running the script to authenticate. It all depends on DB permissions and if your algorithm is known ... but you probably already knew that