One error I can see is you have a semicolon after your LIMIT 0, 100. That will kill the SQL query.

However security wise your code is not good. You're taking external data and putting it straight into a database query (the username and password), and to add to that why the Limit of the first 100 records? Surely the user will only have one record with you? Besides the fact that you only check the first one anyhow.

You need to secure your data, ideally using mysql_real_escape_string() which you can read up on at php.net. Then change the limit to LIMIT 1. Afterall, once it's found one record it can stop.