Problem Checking return value from "password-verify"

Question

I have a problem with password-verify. Even though I know the password has been entered correctly I still get a false result. I use the following code to enter the hash value in mySql database: I have replaced the server login details; the input comes from a form that is created when a user scans an NFC microchip:

$servername = "localhost";
$username = "xxxxxxxxx";
$password = "xxxxxxxxx";
$database = "xxxxxxxxx"; // substitute your mysql database name
$hash = password_hash($Pass, PASSWORD_DEFAULT);
if ($UID === "0") {
    echo "You have not scanned a chip to enter the registration process";
} else {
    $Type = $_POST["Type"];
    $Units = $_POST["UNITS"];
    $LstStln = $_POST["LstStln"];
    $Country = $_POST["Country"];
    if (empty($_POST["eMail"])) {
        $emailErr = "Email is required";
        echo "Email is required";
    } else {
        $eMail = test_input($_POST["eMail"]);
        // check if e-mail address is well-formed
        if (!preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/", $eMail)) {
            die("Invalid email format. Try again.");
        }
        // Create connection
        $conn = new mysqli($servername, $username, $password, $database);
        // Check connection
        if ($conn->connect_error) {
            die("Connection failed: " . $conn->connect_error);
        }
        $sql = "INSERT INTO ItsMine (UID, Password, email, Type, UNITS, LstStln, Country) VALUES ('$UID', '$hash', '$eMail', '$Type', '$Units', '$LstStln', '$Country')";
        $result = $conn->query($sql);
    }
}

This is the corresponding code that processes the input from this form, and which is returning false from password verify:

$servername = "localhost";
$username = "xxxxxxxxx";
$password = "xxxxxxxxx";
$database = "xxxxxxxxxx"; // substitute your mysql database name
$email = $_POST['email'];
$Pass = $_POST['Password'];
// Create connection
$conn = new mysqli($servername, $username, $password, $database);

// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}
//get the hashed password from the database
$sql = "SELECT * From ItsMine where eMail = '$email'";
$result = $conn->query($sql);
$row = mysqli_fetch_assoc($result);
$hash = $row["Password"];
//Check password entered against the stored hash
if (password_verify($Pass, $hash)) {
    $tql = "SELECT * From ItsMine where eMail = '$email'";
}

Answer 1

There is not enough information in your question to be sure about your problem, but I am going to take an educated guess and say that your problem lies with w3schools. Please, if you used to follow their tutorials, STOP! They code is often broken and suggest appalling practices.

Your problem can be explained by the use of test_input() in your code. It does nothing, but damage your data and cause problems for your code. One could even consider it a security vulnerability. When you are inserting email into your code I see you use $eMail = test_input($_POST["eMail"]);, but when you select the hash from the database you don't. This is very likely the reason why your select is not working as intended. To debug this you can compare the output of var_dump(test_input($_POST["eMail"])); and var_dump($_POST["eMail"]);. If they are different it means that this function has damaged your data.

Another issue is lack of parameterized prepared statements, which you should be using. They are provided by PDO or by MySQLi. Never trust any kind of input!

You should also enable MySQLi errors to be displayed in case you have a mistake with your SQL somewhere. How to get the error message in MySQLi?

Lastly, another worthy articles you should read:
Everything You Need to Know About Preventing Cross-Site Scripting Vulnerabilities in PHP
How to prevent XSS with HTML/PHP?
How can I prevent SQL injection in PHP?