encrypt_decrypt() function is returning nothing only when I try to decrypt

Question

I have been working on a side-project for school where users can login and record the number of volunteer hours they have. I have completed the register page where it connects to the database and stores the users info, including an encrypted password. The problem I am having is when the user tries to login. After the password is entered, the program goes into the database and retrieves the hashed function, but when I try to decrypt it, the decrypted line is blank. I am not sure as to why this is happening, but would like some help solving this problem. Thank you.

Here is the code for my login page and the encrypt_decrypt() function:

The login.php page:

<?php

include("encrypt_decrypt.php");

$username="root";
$password="";
$server="localhost";
$db_name="userauthentication";

$uname="";
$pword="";
$error_msg = "";

if(isset($_POST["submit"])){

    $db_handle = mysqli_connect($server, $username, $password);
    $db_found = mysqli_select_db($db_handle, $db_name);

    $uname = $_POST["uname"];
    $uname = htmlspecialchars($uname);
    $uname = mysqli_real_escape_string($db_handle, $uname);

    $pword = $_POST["pword"];
    $pword = htmlspecialchars($pword);
    $pword = mysqli_real_escape_string($db_handle, $pword);

        if($db_found){
            if($uname == "admin"){
                $SQL = "SELECT * FROM  WHERE username = '$uname' AND pword = '$pword'";
                $result = mysqli_query($db_handle, $SQL);

                $num_rows = mysqli_num_rows($result);

                    if(isset($num_rows) && $num_rows > 0){
                        session_start();
                        $_SESSION['login'] = "2";
                        header("Location: adminpage.html");
                    }else{
                        print("error");
                    }
            }else{
                $SQL = "SELECT * FROM login WHERE username = '$uname'";
                $result = mysqli_query($db_handle, $SQL);

                $num_rows = mysqli_num_rows($result);

                if($num_rows > 0){

                    $db_field = mysqli_fetch_assoc($result);

                    $pword_match = $db_field['password'];
                    $pword_match = encrypt_decrypt('decrypt', $pword_match);

                    print ($pword . "<br>");
                    print $pword_match;

                    if($pword == $pword_match){
                        session_start();
                        $_SESSION['login'] = "1";
                        header("Location: mainpage.html");
                    }else{
                        $error_msg = "<span class='error_msg'>Wrong password!</span>";
                        print $error_msg;
                    }
                }else if($num_rows == 0){
                    $error_msg = "<span class='error_msg'>Wrong username!</span>";
                    print $error_msg;
                }
            }
        }else{
            $error_msg = "<span class='register'>Could not connect to database!</span>";
            print $error_msg;
        }
    }
?>

These are the lines that are giving me trouble in the login.php file:

$db_field = mysqli_fetch_assoc($result);

$pword_match = $db_field['password'];
$pword_match = encrypt_decrypt('decrypt', $pword_match);

print ($pword . "<br>");
print $pword_match;

I just printed out the two lines so I could see what was happening. The print $pword line is fine, but the print $pword_match is giving me a blank.

The encrypt_decrypt() function:

<?php       
    function encrypt_decrypt($action, $string) {
    $output = false;

    $encrypt_method = "AES-256-CBC";
    $secret_key = $string;
    $secret_iv = "password";
    // hash
    $key = hash('sha256', $secret_key);

    // iv - encrypt method AES-256-CBC expects 16 bytes - else you will get a warning
    $iv = substr(hash('sha256', $secret_iv), 0, 16);

    if( $action == 'encrypt' ) {
        $output = openssl_encrypt($string, $encrypt_method, $key, 0, $iv);
        $output = base64_encode($output);
    }
    else if( $action == 'decrypt' ){
        $output = openssl_decrypt(base64_decode($string), $encrypt_method, $key, 0, $iv);
    }

    return $output;
}
?>

Answer 1

There are hundreds SO of answers about how to handle passwords on a server, search for example code.

Essentially when the password is received the first time it is hashed and the hash stored on the server. When a user want's to login the password hash is retrieved, the password is hashed and then the hashes are compared.

See: Safe Password Hashing.

Note: encrypting the passwords means that is the key is on the server and if obtained by an attacker all the password will be available to the attacker. If you thought the server was secure you would not bother to encrypt the passwords. One can not rely on the security of the server but you should at least be using 2-factor authentication to the server.