Leaderboard

I overstated the issue with else. It's bad form, but not an error. The uninitialized variable is probably the reason things don't work as you expect. I fixed a few issues and formatted your code properly: <?php session_start(); $servername = "localhost"; $dbusername = ""; $dbpassword = ""; $dbname = ""; $conn = new mysqli($servername, $dbusername, $dbpassword, $dbname); if ($conn->connect_error) { die("Connection failed: " . $conn->connect_error); } $id=""; $username = $_POST['username']; $password = md5($_POST['password']); $func = "SELECT contrasena FROM users WHERE username='$username'"; $realpassask = $conn->query($func); $realpassaskres = $realpassask->fetch_assoc(); $realpass = $realpassaskres[contrasena]; $func2 = "SELECT bloqueado FROM users WHERE username='$username'"; $blockedask = $conn->query($func2); $blockedres = $blockedask->fetch_assoc(); $bloqueado = $blockedres[bloqueado]; //Login if(!empty($username)) { // Check the email with database $userexists = $pdo->prepare("SELECT COUNT(username) FROM users WHERE username= '$username' LIMIT 1"); $userexists->bindParam(':username', $username); $userexists->execute(); // Get the result $userexistsres = $userexists->fetchColumn(); // Check if result is greater than 0 - user exist if ($userexistsres == 1) { if ($bloqueado == NO) { if ($password != $realpass) { die("contrasena incorrecta"); } else { $_SESSION['loguin']="OK"; $_SESSION['username']="$username"; header("Location: ./herramientas.php"); exit; } } else { die("Tu usuario ha sido bloqueado o todavía no ha sido aceptado por un administrador. Si el problema persiste contacta con contacto@leonmacias.com"); } } else { die("No hay ninguna cuenta con este nombre de usuario"); } } else { echo 'El campo usuario esta vacio'; } For example, you had $id = "''"; Not sure what you were trying to do there. If you are initializing it to a null equivalent empty string then just use "" or '' I removed the ending '?>' from the file. You don't need it and it's best not to have end block statements as they can in some circumstances cause issues. I'd recommend looking at PSR-2 and adopting those standards. Something odd about your code is when you do 2 queries in a row where USERNAME = '$username'. Do one query and either SELECT * or SELECT contrasena, bloqueado. Whenever you have a header('Location:...) you need to follow that with exit/die. (They are the same function, but most people use exit). Of course currently you are doing those queries and yet you do nothing with them. Also because you are not using prepared statements with bound parameters, your code will allow SQL injection. Again, our advice is that you use PDO. Here's a tutorial that will teach you everything you need to know.

The first step towards writing decent code is to properly indent and format your code. Don't put multiple lines of code on the same line. You should have a newline at the end of each line. You should have indentation for any blocks. PHP is case sensitive for most things other than function names and class names. Be consistent. Make all control statements (if-then-else) lower case. //Login if(!empty($username)) { // Check the email with database $userexists = $pdo->prepare("SELECT COUNT(username) FROM users WHERE username= '$username' LIMIT 1"); $userexists->bindParam(':username', $username); $userexists->execute(); The $pdo variable doesn't exist, however this is where it looks like you dropped in some PDO code. The consensus of experts at phpfreaks is that PDO is the better database API to use, so we'd recommend you convert everything to pdo anyways.

Pity, because you need show that bit too. The first half of your code uses a mysqli connection and the latter half uses PDO. Do you have two connections? Any chance you could format your code into something legible next time and place it in a code box (<> button in toolbar)? A few line breaks and indents would be appreciated.

Ok... so I googled PDO and found a phpdelusions.net about it, will this be a good introduction for me?