Hey there! Let's figure out why you're hitting that "incorrect password" error even when you enter the right credentials. Let's break down the most likely issues and fixes step by step:

1. The #1 Culprit: Passwords Aren't Properly Hashed During Registration #

The password_verify() function only works with hashes generated by PHP's password_hash() function. If your registration code stores plain-text passwords, uses outdated hashing methods like MD5/SHA1, or skips hashing entirely, password_verify() will always return false.

Double-check your registration code to ensure you're saving passwords like this:

$hashed_password = password_hash($user_password, PASSWORD_DEFAULT);
// Insert $hashed_password into the user_password column of your database

2. Add Debugging to See What's Really Happening #

Let's add temporary debug output to your login code to confirm exactly what's being compared. Insert these lines right after you run password_verify():

$hashedpasswordcheck = password_verify($password, $row['user_password']);
// Debug lines - remove these after fixing the issue
echo "Input password: " . htmlspecialchars($password) . "<br>";
echo "Stored hash from DB: " . htmlspecialchars($row['user_password']) . "<br>";
echo "Verification result: " . var_export($hashedpasswordcheck, true) . "<br>";
exit;

This will show you:

• If the password you're entering matches what's being passed to the script
• If the stored value in your database is actually a valid password_hash() output (it should be a long string starting with $2y$ or similar)
• Whether password_verify() is truly returning false even with correct values

3. Fix Whitespace Issues #

Accidental spaces in the username or password (either from user input or database storage) can break the match. Clean up your input with trim():

$username = trim(mysqli_real_escape_string($conn, $_POST['username']));
$password = trim(mysqli_real_escape_string($conn, $_POST['password']));

4. Improve Your SQL Query Security & Reliability #

Your current query uses string interpolation, which is vulnerable to SQL injection. Switch to prepared statements instead—they're safer and avoid subtle syntax issues:

// Replace your existing SELECT query block with this
$sql = "SELECT * FROM users WHERE user_username = ?";
$stmt = mysqli_prepare($conn, $sql);
mysqli_stmt_bind_param($stmt, "s", $username);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);

if (mysqli_num_rows($result) < 1) {
    header("Location: ../main_login.php?login=error");
    exit();
}

$row = mysqli_fetch_assoc($result);

5. Remove Unnecessary (and Risky) Session Data #

You're storing the hashed password in the session with $_SESSION['user_password'] = $row['user_password'];—this is unnecessary and poses a security risk. Delete that line immediately.

Start with checking your registration password hashing first—it's the most common cause of this exact issue. If that's correct, use the debug lines to pinpoint where the mismatch is happening.

内容的提问来源于stack exchange，提问作者yoshik karnawat