Store the "username" they tried in the session as well as the count. Then check if it was the same. if it wasn't, reset the count.
If someone is trying to hack his way in, all he has to do is try three times, then try a different name three times, then back to the original, then the second, and so forth. Better to fail the way you are and refuse to let him try. And lock the actual account he is trying, and use a cookie to slow him down.
And please, don't do passwords like that! Well done on using parameterised queries, but...passwords stored as text is a major security risk. See here: Password Storage: How to do it.
And one more thing: never report separate messages for bad username and bad password - use the same message so wannabes can't tell if they have a valid username.[/edit]