|First off, your urgently need to fix the SQL Injection[^] vulnerabilities in your code.
Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]
Next, fix your password storage. You're currently storing password in plain text, which is an extremely bad idea. You should only ever store a salted hash of the user's password, using a unique salt per record.
Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]
Also, NEVER put the user's password in the URL. The browser retains a history of every URL visited, making it trivial for someone with access to the user's history to discover their password.
Finally, to fix your problem, you need to split your validation into two steps:
- Is the username and password valid?
- Has the user completed the test?
Currently, you're trying to do both at once, which is why you're getting confused.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."