Do not pull down the values and compare, let the SQL do the compare for you.
For instance:
$sql = "SELECT UserID FROM User WHERE Username = ".mysql_real_escape_string($username)." AND Password = ".mysql_real_escape_string($password);
This would pull back all records that matched if Database Username = the Supplied Username and Database Password = Supplied Password. Then if you have 0 records... it did not validate, but if you have more than 0 records (if you have 1 record rather), then they successfully validated
