I’m trying to implement a PHP login script which works with 3 PHP files. The scripts work fine when using correct user names and passwords, and the script even blocks access when the wrong information is provided. My problem is that the script is allowing access when you press the submit button on the form and don’t insert a user name or password.

The first script goes like this:

<form action="login2.php" method="post">
Usuario:<br />
<input type="text" name="username" class="formtext" />
Contraseña:<br />
<input type="password" name="password" class="formtext" />
<input type="submit" value="Ingresar" class="formbutton" />
</form>

As you can see, the form accesses “login2.php” which goes like this:

<?php
$usernames = array("user1", "user2", "user3", "superman");
$passwords = array("test", "pass2", "password3", "supermans password");
$page = "noticias.php";

for($i=0;$i<count($usernames);$i++){
  $logindata[$usernames[$i]]=$passwords[$i];
}
if($logindata[$_POST["username"]]==$_POST["password"]){
session_start();
$_SESSION["username"]=$_POST["username"];
header('Location: '.$page);
exit;
}else{
header('Location: login.php?wrong=1');
exit;
}
?> 

Finally, the page I’m trying to restrict access to has the following code added at the top to make sure the user is logged in:

<?php require("login3.php"); ?> 

And “login3.php” has the following code:

<?php
session_start();
if(!isset($_SESSION['username'])){
header('Location: login.php');
exit;
}
?> 

If anyone can help me out with this since I got these scripts from an online tutorial, and don’t know much about PHP, and really need to know why access is being allowed with blank usernames and passwords.