The statement always return false

Question

I wrote this statement for the log in system and it is not working, fetch functions work properly because if I try to echo out the $hash, it looks fine but then if I try this verify statement it always returns the false even if the inputs are the same in the database, the database looks fines it has varchar(255), here's my code

<?php

if(isset($_POST['submit'])){
    include 'database.php';
    $uid = mysqli_real_escape_string($conn,$_POST['uid']);
    $pass = mysqli_real_escape_string($conn,$_POST['pass']);

    $query = "SELECT * FROM user WHERE username ='$uid'";
    $tbl = mysqli_query($conn, $query);
    if (mysqli_num_rows($tbl)>0){

        $row = mysqli_fetch_array($tbl, MYSQLI_ASSOC);
        $hash = $row['password'];
        if (password_verify($pass, $hash)){
            echo "success";
        } else {
            echo "log in error";
        }
    }
}

edit

I remove the mysqli_real_escape_string but it still return false heres the new code, I am selecting all from the database to also verify the username, so if either of the username or password in the inputs are inside the database the user will be redirected to wrong password page

<?php

if(isset($_POST['submit'])){
    include 'database.php';
$uid = $_POST['uid'];
$pass = $_POST['pass'];

$query = "SELECT * FROM user WHERE username ='$uid'";
$tbl = mysqli_query($conn, $query);
if (mysqli_num_rows($tbl)>0){

    $row = mysqli_fetch_array($tbl, MYSQLI_ASSOC);
    $hash = $row['password'];
     if (password_verify($pass, $hash)){
         echo "success";
     }
     else {
         echo "log in error";
     }

}
}

I have a sign up page and this is where I hashed then stores it inside the database, here's my code

$sql = "SELECT * FROM 'user' WHERE username ='$uid'";
    $result = mysqli_query($conn, $sql);
    $resultCheck = mysqli_num_rows($result);
}
  if ($resultCheck > 0) {
    header("Location:.../user.add.php?the inputs are already taken");
    exit();
  }
  else {
      $hashedpass = password_hash($pwd, PASSWORD_DEFAULT);
      //insert the new user to the user database
      $sql = "INSERT INTO user (userID, username, password)
      VALUES (NULL, '$uid', '$hashedpass');";
      $result = mysqli_query($conn, $sql);
      header("Location:../user.add.php?success sir");
    exit();
  }

Answer 1

You're potentially modifying the password before comparing it:

$pass = mysqli_real_escape_string($conn,$_POST['pass']);

In some cases this won't make a difference, but in some it will.

if I try to echo out the $hash, it looks fine

It may intuitively look fine to a human as output on a web page, but does that mean the two values are binary equivalent? Not always, and the result of the code seems to indicate exactly that.

Since you're not using this value in a SQL query, you don't need to escape it:

$pass = $_POST['pass'];

---

Side note: You shouldn't rely on escaping input to use in a SQL query anyway. Instead, don't use user-modifiable values as code in your query in the first place. Use query parameters instead. A commonly linked Stack Overflow question has some great examples and explanations to get you started. In the long run your code will be more secure, more stable, and easier to debug and maintain.