AlexK - 6:04 pm on Dec 28, 2011 (gmt 0)

A small, general extra:

When building a site/page, add the following:

error_reporting( E_ALL );

...and fix *every* error, warning or notice. You cannot imagine how many so-called notices are actually full-blown script errors. Fix them all.

On your public-facing scripts, allow zero errors to show.

On your specific question, far better to store encrypted (md5 is a typical one) and test for password equality to the retrieved value

eg
SELECT `md5` from `db` WHERE `name`='username'

Then:
1 is `name` in the DB at all?
2 if yes, test md5(password)=mysql_md5 (in PHP)

Thus, break it down into small steps and, if you have errors, test one step at a time. Try to resist the urge to cram it all into one huge algorithm.