PHP. I have a question about simple php mysql login system. (i am using XAMPP)

I have created a simple website and asked the user to register. all the info is stored in the database. So now user can login using his username and password.

The problem is user can login using any word in the passwords section. As long as he entered the right username, he can type whatever he wants and he will still be able to login.

Question? How i can fix this so that when user wants to log in, he can only use associated username and password to successfully login( NOT ANY RANDOM WORD FOR PASSWORD).

This is the code.

if (isset($_POST['login_btn'])) {

login();

}

// LOGIN USER

function login(){

global $db, $user_id, $errors;

// grap form values

$user_id = e($_POST['username']);

$password = e($_POST['password']);

// make sure form is filled properly

if (empty($user_id)) {

array_push($errors, "Username or Email is required");

}

if (empty($password)) {

array_push($errors, "Password is required");

}

// attempt login if no errors on form

if (count($errors) == 0) {

$password = md5($password);

$query = "SELECT * FROM users WHERE username='$user_id' OR email='$user_id' AND password='$password' LIMIT 1";

$results = mysqli_query($db, $query);

if (mysqli_num_rows($results) == 1) { // user found

// check if user is admin or user

$logged_in_user = mysqli_fetch_assoc($results);

if ($logged_in_user['user_type'] == 'admin') {

$_SESSION['user'] = $logged_in_user;

$_SESSION['success'] = "You are now logged in";

header('location: Admin/Admin.php');

}else{

$_SESSION['user'] = $logged_in_user;

$_SESSION['success'] = "You are now logged in";

header('location: index.php');

}

}else {

array_push($errors, "Wrong username/password combination");

}

}

}

// call the register() function if register_btn is clicked

if (isset($_POST['register_btn'])) {

register();

}

// REGISTER USER

function register(){

// call these variables with the global keyword to make them available in function

global $db, $errors, $username, $email;

// receive all input values from the form. Call the e() function

// defined below to escape form values

$username = e($_POST['username']);

$email = e($_POST['email']);

$password_1 = e($_POST['password_1']);

$password_2 = e($_POST['password_2']);

$firstname = e($_POST['firstname']);

$lastname = e($_POST['lastname']);

// form validation: ensure that the form is correctly filled

if (empty($username)) {

array_push($errors, "Username is required");

}

if (empty($email)) {

array_push($errors, "Email is required");

}

if (empty($password_1)) {

array_push($errors, "Password is required");

}

if ($password_1 != $password_2) {

array_push($errors, "The two passwords do not match");

}

if (empty($firstname)) {

array_push($errors, "Firstname is required");

}

if (empty($lastname)) {

array_push($errors, "Lastname is required");

}

//checking if user with same info is already there

$checkifexists = "SELECT * FROM users WHERE username='$username' OR email='$email' LIMIT 1";

$ressl = mysqli_query($db, $checkifexists);

$userrrr = mysqli_fetch_assoc($ressl);

if($userrrr){

if ($userrrr['username'] === $username){

array_push($errors, "Username already exists");

}

if ($userrrr['email'] === $email){

array_push($errors, "email already exists");

}

}

// register user if there are no errors in the form

if (count($errors) == 0) {

$password = md5($password_1);//encrypt the password before saving in the database

if (isset($_POST['user_type'])) {

$user_type = e($_POST['user_type']);

$query = "INSERT INTO users (username, email, user_type, password, firstname, lastname)

VALUES('$username', '$email', '$user_type', '$password', '$firstname', '$lastname')";

mysqli_query($db, $query);

$_SESSION['success'] = "New user successfully created!!";

header('location: Admin/Admin.php');

}else{

$query = "INSERT INTO users (username, email, user_type, password, firstname, lastname)

VALUES('$username', '$email', 'user', '$password', '$firstname', '$lastname')";

mysqli_query($db, $query);

// get id of the created user

$logged_in_user_id = mysqli_insert_id($db);

$_SESSION['user'] = getUserById($logged_in_user_id); // put logged in user in session

$_SESSION['success'] = "You are now logged in";

header('location: index.php');

}

}

}

// return user array from their id

function getUserById($id){

global $db;

$query = "SELECT * FROM users WHERE id=" . $id;

$result = mysqli_query($db, $query);

$user = mysqli_fetch_assoc($result);

return $user;

}

// escape string

function e($val){

global $db;

return mysqli_real_escape_string($db, trim($val));

}

function display_error() {

global $errors;

if (count($errors) > 0){

echo '

';

foreach ($errors as $error){

echo $error .' ';

}

echo '

';

}

}