Of course, if you are encrypting your passwords before storing them, there's no need to check what exactly they are - only the encrypted version is put in the query. If you MD5 them first, then they're only ever 32-char chuncks of hex digits.
This means of course you have to use PHP's MD5() function rather than MySQL's (otherwise the query will be getting the unencrypted password). But that's okay: I've seen MySQL do strange and worrying things with text which cause its MD5 to return strange results. It's partly for that reason that I don't use MySQL 🙂
I'm also not a fan of "trying to guess what an attack might look like, and preventing it", because I might not guess every possible attack. Instead, I prefer to allow only input I know is safe: in other words, usernames, for example, should contain only valid characters, where I decide what is "valid", and "invalid" is everything else. This is instead of trying to remember every possible "invalid" character and then saying that usernames should not contain invalid characters.
Oh, and on a technical note in relation to your validateLogin function; if you want to see if there are records that match a query, instead of returning the entire record, it's more efficient to have a query that just COUNT()s them and returns the count. Replace "" (which alone should only be used as a last resort) with "COUNT()" and you'll get back one record with one field, containing what mysql_num_rows() is giving you now.
