I overstated the issue with else. It's bad form, but not an error. The uninitialized variable is probably the reason things don't work as you expect. I fixed a few issues and formatted your code properly:
<?php
session_start();
$servername = "localhost";
$dbusername = "";
$dbpassword = "";
$dbname = "";
$conn = new mysqli($servername, $dbusername, $dbpassword, $dbname);
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$id="";
$username = $_POST['username'];
$password = md5($_POST['password']);
$func = "SELECT contrasena FROM users WHERE username='$username'";
$realpassask = $conn->query($func);
$realpassaskres = $realpassask->fetch_assoc();
$realpass = $realpassaskres[contrasena];
$func2 = "SELECT bloqueado FROM users WHERE username='$username'";
$blockedask = $conn->query($func2);
$blockedres = $blockedask->fetch_assoc();
$bloqueado = $blockedres[bloqueado];
//Login
if(!empty($username)) {
// Check the email with database
$userexists = $pdo->prepare("SELECT COUNT(username) FROM users WHERE username= '$username' LIMIT 1");
$userexists->bindParam(':username', $username);
$userexists->execute();
// Get the result
$userexistsres = $userexists->fetchColumn();
// Check if result is greater than 0 - user exist
if ($userexistsres == 1) {
if ($bloqueado == NO) {
if ($password != $realpass) {
die("contrasena incorrecta");
} else {
$_SESSION['loguin']="OK";
$_SESSION['username']="$username";
header("Location: ./herramientas.php");
exit;
}
} else {
die("Tu usuario ha sido bloqueado o todavĂa no ha sido aceptado por un administrador. Si el problema persiste contacta con contacto@leonmacias.com");
}
} else {
die("No hay ninguna cuenta con este nombre de usuario");
}
} else {
echo 'El campo usuario esta vacio';
}
For example, you had $id = "''";
Not sure what you were trying to do there. If you are initializing it to a null equivalent empty string then just use "" or ''
I removed the ending '?>' from the file. You don't need it and it's best not to have end block statements as they can in some circumstances cause issues.
I'd recommend looking at PSR-2 and adopting those standards.
Something odd about your code is when you do 2 queries in a row where USERNAME = '$username'. Do one query and either SELECT * or SELECT contrasena, bloqueado.
Whenever you have a header('Location:...) you need to follow that with exit/die. (They are the same function, but most people use exit).
Of course currently you are doing those queries and yet you do nothing with them.
Also because you are not using prepared statements with bound parameters, your code will allow SQL injection.
Again, our advice is that you use PDO. Here's a tutorial that will teach you everything you need to know.