PHP condition doesn't work

Question

I have this code

$nick = $_POST["user"];
$pass = sha1($_POST["pass"]);

$user = pg_query($dbconn, "SELECT * FROM users");
$user = pg_fetch_object($user);

if($user->nick != $nick || $user->pass != $pass) {
    echo 'Wrong user or password';
}

nick in database is character type and is quite hashed, but I still get 'Wrong user or password' on output.

Is there any type conflict?

Answer 1

$nick = $_POST["user"];
$pass = sha1($_POST["pass"]);

$user = pg_query($dbconn, "SELECT * FROM users WHERE nick = '$nick' and pass='$pass'");
$num = pg_num_rows($user);
$user = pg_fetch_object($user);

if($num==0) {
    echo 'Wrong user or password';
}

When do query with some value that the client will interact, make sure he will not use some methods of injection

Change code:

$nick = pg_escape_string(strip_tags($_POST["user"]));
$pass = sha1($_POST["pass"]);