a couple of things:
This way of read user is no a good one.. what if you have 1000 users??? you will read all the table to see if there are a matching user?? better try to get the user directly from the database (do a Sql passing the user and password.. and please use parameters to avoid an sql injection)...
The problem with the fields filled with spaces is probably a database problem, witch database are you using and what is the field definition?
Replace response.redirect with server.transfer... redirect cause an unnecessary round trip to the client.
Read this if you want to know how to get a correct reply for your question:
^^Took that from dparsons signature and he Took that from planoie's profile
My programs achieved a new certification (can you say the same?):
WORKS ON MY MACHINE