You should not have and password = '$password'
in the query. The password in the database is the hashed password, not the same as $password
. You should just fetch the row using the email, then use password_verify()
to check the password.
You also need to select the password
column so you can verify it.
$check_email = mysqli_query($conn, "SELECT id, password FROM users WHERE email="$email"");
You also have problems with your logic. You set the session variable and redirect to home
regardless of the password verification. It should be:
$row = mysqli_fetch_array($check_email);
if ($row && password_verify($password, $row['password'])){
$msg[] = "You have successfully logged in.";
$_SESSION["user_id"] = $row['id'];
header('Location: home');
} else {
$msg[] = "The password or email is incorrect.";
}
You also shouldn’t escape the password before hashing or verifying it. And of course, if you correctly use prepared statements with parameters, you shouldn’t escape anything first.