The major thing for proper authentication is how you handle usernames and passwords. In your code excerpt both have serious problems.
You store password and username as plain text in the database. This should never be done. You don't need to know the password, you just need to know if the one originally stored matches the one entered.
Never concatenate text from user interface to a SQL statement. This leaves you open to
SQL injection - Wikipedia[
^] and other potential problems.
I suggest going through
Password Storage: How to do it.[
^] . It gives you a good idea of the basic principles that should be met.