Admin panel of the website is being accessed without verification

Question

Admin panel is working fine for normal users! It requires password to access it but when I access it using acunetix's http editor it opens the admin panel without verification. I'm using a function to check if admin is logged in. If not then redirects to login page! Here's the code of function please help me in this! Thanks.

--> full() function is mysqli_real_escape_string(htmlspecialchar());

--> acunetix is well application vulnerability tester.

function admin_check() {
global $users, $mysqli;

if(isset($_COOKIE['username'])){
    $username = full($_COOKIE['username']);
    $password = full($_COOKIE['password']);
    $id = full($_COOKIE['id']);
    if(is_numeric($id)){
        $id = $id;
            if($id < 0){
                $id = (-1)*$id;
            }
    }
    else {
        $id = 10;
    }


    $query = "SELECT * FROM $users WHERE username = '{$username}' and password = '{$password}' and id = $id ";
    $query_process = mysqli_query($mysqli, $query);
        if(!$query_process){
            die_message("There was some error checking admin login");
        }

    $check_rows = mysqli_num_rows($query_process);
    if($check_rows != 1){
        header("location: login.php");
    }
    while($rows = mysqli_fetch_assoc($query_process)){
        $admin_role = $rows['admin_role'];
    }
    if($admin_role != 1){
        header("location: logout.php");
    }


}//end of first if

else {


    header("location: login.php");
}
}// end of function

Answer 1

i guess one mistake can be because the script keeps on executing even after
header("location: login.php");
a possible way to remove it is by die() function. just add die() after every header redirect you are making.