Best/most secure form of authentication

Anon

Can someone give me their opinion on what is the most secure/reliable form of user authentication for PHP4/MySQL website.

Currently, I just use a simple script like:
$query = mysql_query("SELECT username,password FROM clients WHERE username='$username'";

$result = mysql_query($query);

$number = mysql_num_rows($result)'
if($number>1)
print "username taken";
else
print "username accepted";

Is there any obvious flaws/weaknesses with this method (esp. regarding security)?

Thanks,
Mike

mp96brbj

First of all, your $query isn't really authenticating, since it's asking for the password instead of supplying it. This makes more sense to me:
SELECT username FROM clients WHERE username='$username' AND password='$password';

However, there are some security aspects that are relatively easy to take care of:

You could encrypt the password using the MySQL function PASSWORD():

SELECT PASSWORD('coffee');

Other than that, restrict the MySQL access privileges as much as you can (see chapter 6 in the MySQL manual), make sure MySQL requires a username and password to allow the script access to the DB, and give the PHP scripts as few access privileges as you can, so no-one but you can view the source code when logged in on FTP.

I'm not sure about the last one; I'm not sure if the scripts stop working if you remove the Read permission for 'nobody'.

I'm sure there are more things that can be done, but these are the things I know of. Keep your passwords safe.