password_verify() not verifying

Question

I am trying to verify the hashed password in my database using the password_verify() function but it doesn't seem to be working. Any help please.

<?php
include("config.php");
include("vendor/password.php");

session_start();

if ($_SERVER["REQUEST_METHOD"] == "POST") {

  $username = mysqli_real_escape_string($db , $_POST['umail']);
  $password = mysqli_real_escape_string($db , $_POST['upassword']);

  $userQuery = "SELECT username, password FROM users WHERE username = '$username' AND password='$password'";
  $result    = mysqli_query($db ,$userQuery);
  $queryRow  = mysqli_fetch_array($result , MYSQLI_ASSOC);
  $queryCount = mysqli_num_rows($result);


  $verifyPassowrd = password_verify($_POST['upassword'] , $queryRow[2]);

  if ($verifyPassowrd){
    header("Location:home.php"); 
  }else{
    echo  "Username Or Password is invalid";
  }
  mysqli_close($db);
}
 ?>

Answer 1

Your password is hashed in your database.
In your query you include a non-hashed password, so the results of the query will be an empty set.

No need to have the password in the WHERE clause of your query, because you want to check the returned hash in the password_verify function.

Updated snippet (I also fixed the typo's):

<?php
include("config.php");
include("vendor/password.php");

session_start();

if ($_SERVER["REQUEST_METHOD"] == "POST") {

  $username = mysqli_real_escape_string($db , $_POST['umail']);

  $userQuery = "SELECT username, password FROM users WHERE username = '$username'";
  $result    = mysqli_query($db, $userQuery);
  $queryRow  = mysqli_fetch_array($result, MYSQLI_ASSOC);
  $queryCount = mysqli_num_rows($result);


  $verifyPassword = password_verify($_POST['upassword'], $queryRow['password']);

  if ($verifyPassword){
    header("Location:home.php"); 
  }else{
    echo  "Username Or Password is invalid";
  }
  mysqli_close($db);
}
?>