Sanitize your Login form for more secure
Sanitize $_GET or $_POST parameters to avoid XSS and other attacks
// Sanitize $_POST parameters to avoid XSS and other attacks
$user = preg_replace('/[^-a-zA-Z0-9_]/', '', $_POST['username']);
$pass = preg_replace('/[^-a-zA-Z0-9_]/', '', $_POST['password']);
if ($user AND $pass){
$login = mysqli_query($con,"SELECT * FROM users WHERE username = '$user' AND password = '$pass'");
$match = mysqli_num_rows($login);
$r = mysqli_fetch_array($login);
mysqli_close($con);
if ($match > 0){
session_start();
$_SESSION[username] = $r[username];
$_SESSION[password] = $r[password];
echo "<script>window.location='./secure.php'</script>";
} else {
echo "<script>window.alert('wrong username or password');</script>";
}
}