I've created a login page with PHP and a MySQL database. Everything works fine except when I login with the right username and wrong password it still sends me to the logged in page and doesn't keep me on the login page.
<?php
$user = $_POST['user'];
$pass = stripslashes($_POST['pass']);
$pass = mysql_real_escape_string($pass);
$pass = md5($pass);
$connect = mysql_connect("$host", "$ad_user", "$ad_pass") or die("Unable to connect to MySQL");
$db = mysql_select_db("$db", $connect) or die("Could not select examples");
$query = "SELECT * FROM members WHERE username='$user'" or die("error query");
$result = mysql_query($query);
$count = mysql_num_rows($result);
$p = mysql_fetch_array($result);
If($count == 1){
If($p['password'] == $pass){
session_start();
$_SESSION['loggedin'] = 1;
$_SESSION['username'] = $user;
header('Location: //members.polydodo.com');
}else{
header('Location: ../login.php?error');
}
}else{
header('Location: ../login.php?error');
}
mysql_close($connect);
?>
I can't see any mistakes in this and I've double checked orders of password encryption, etc. already. Using the wrong username redirects to the error page and doesn't log me in but it logs me in with the right username regardless of the password.
P.S. I am aware of MySQLi and PDO but have't had time to look into that yet so I'm sticking with standard MySQL until I do.