I downloaded and was testing your access user class today. The login page appears to be vulnerable to a SQL injection attack if you have magic_quotes_gpc turned off. As a result, I can log in as the administrator without knowing the password. To reproduce, go to the login form and enter whatever you want in the password field and then enter the following as the username:
administrator' or 'a'='a
I'm using version 1.95 of your class which was updated on 2007-01-31. It looks like you need to pass all user input data to addslashes or mysql_real_escape_string before using it in the SQL query.