PHP/MySQL Secure Login & Sessions

Question

I have a login service to my current website and what I was wondering is - is there any particular method you could call the MOST Secure?

Allow me to explain my system a little better:

I currently have a PHP MySQL database with a users table. The username and password are both stored as VARCHAR (not the best for passwords I know).

On the sign up form side, I regulate the choice of passwords and usernames by only allowing a-Z 0-9 entry and limit the number of characters. On the login form side, I stop attacks by using mysql_real_escape_string and I use POST to an iFrame instead of AJAX.

I feel I am doing what I can to prevent attacks from the Form side, but not from the database side. I know you can change the type of password storage to encrypt upon entry to the database, but what I don't understand is how I would then query this encrypted string.

Given what I've described, what would you advise in terms of added security and why? What are your chosen methods to prevent hacking and attacks? Can you see any glaring security holes in what I've described? Perhaps most importantly of all, what could I do to correct these, given that I've not been in the web-development game long and don't have much experience?

(Bear in mind that I'm not creating a system to house confidential or inflammatory data)

Answer 1

First of all, don't store plain text passwords in your database. So, when registering a new user insert their password as a hash. MD5 is most commonly used for this. I suggest using a salt with this. So for storing:

$password = md5($yoursalt . $_POST['password']);

Now when the user wants to login, you have their password again in your post. Now make the same hash as before and search for this hash in the database (with their username). This way you don't store their actual passwords.