$query=mysqli_query($mysqli, "SELECT * FROM user WHERE username='".$array[0]."' AND password='".$password."' AND (action='current' OR action='register')");
if(mysqli_num_rows($query) == 0) { //yes
$right = true;
$row = mysqli_fetch_array($query);
$userid = $row['id'];
}
Right here, you are saying if there are no records that match the username and password combination, then set $right to true and proceed. I am pretty sure your check should be
if (mysqli_num_rows($query) != 0)