Login routine for password protected website

I'd consider syntactically invalid usernames (empty; too short or too long; containing invalid characters like possibly spaces, quote marks or shell/SQL metacharacters; structurally invalid, i.e., starting with dot or number), and syntactically invalid passwords (too short or even empty, too "simple", or equal to username). All these cases you can validate client side with JS, recycling the same code for the "Creating new user, choose user and password" view.

Server side, you might have backend connection error (i.e. not being able to tell whether the user does exist -- not exactly an user error, but we might want to manage it here nonetheless), user not found, password mismatch, and possibly "login disabled" (this is quite common on auto-create-user website: the login exists but must be validated by clicking on a link sent through email. Then again, one might want to place these "not-yet-users" in a storage apart to avoid clogging/churning on the real user database). Of course you might also want to add a special disable state and message ("Your membership fee is overdue"). Other additional "errors" and "warnings" may be added here, e.g. "You're not logging from your usual IP block(s) [, would you mind answering this security question?]" or "password expired, choose another password".

IMO, the main issue (assuming SQL as the database for the users and password) is SQL Injection, that for example adds a specific user as an admin access.

Dealing with it can be done using libraries in the server side to handle all user input — rather then trying to do it on your own.