Here’s a non-exhaustive list of problems/solutions:
- Your code is difficult to read because it is not properly indented.
- You should use prepared statemens to guard against SQL-injection.
- You give hints to hackers by having different error messages. When the username is correct and the password wrong you say: “Login/Password Incorrect :(“, but if the username is wrong you say: “Username Not Found!”. That way a hacker can know if an username is correct, and half the job is done.
- Better not use
md5()for password encryption.
- Use password_hash() for handling passwords.
- Do not store the username in a cookie. Again, you’re leaking information.
- You seem to have stored usernames as
phone_number. So which one is it? It is either an username or a phone number, it cannot be both. Even if you use phone numbers as user names, call them what they are.
- Sloppy coding:
$errors = array();is not used anywhere. You don’t check the result of
new mysqli(), the connection might fail. Same is true for
- You take care to close the database, but then why don’t you release the query result with
$result->close();? Either do both, or none.
Security is a difficult topic, it’s really hard to get it right, and what might be good today, might be bad tomorrow.