lol, you're not even doing it right.
$stmt = $con->prepare("SELECT username, password FROM users WHERE username = ? AND password = ?");
$stmt->bind_param("ss", $username, $password);
$stmt->execute();
$stmt->store_result();
if($stmt->num_rows) {
echo "yes";
} else {
echo "no";
}
You should use store_result instead of get_result and you're using num_rows wrong.
If you want to check if the account is banned or not. Find out if the account actually exists first. Then do something like.
$stmt = $con->prepare("SELECT username, password, status FROM users WHERE username = ? AND password = ?");
$stmt->bind_param("ss", $username, $password);
$stmt->execute();
$stmt->store_result();
if($stmt->num_rows) {
$stmt->bind_result($username, $password, $status);
while($stmt->fetch())
if($status == 0) {
echo "Banned";
} else {
echo "regular user";
}
} else {
echo "no";
}
num_rows already checks for the user inputted variables. It's really redundant to use > 0 with num_rows because let's say the user logs in with guest as the username and password as the password. num_rows already checks if those two return a row. Checking to see if the row is greater than 0 is exactly what num_rows already has done.
Your problem is that you aren't using PHP correctly and there for, won't allow you to login with what ever you're attempting. If you want to use the built-in password hash, you have to check if the user exists first. Then if the user does exist, take their hashed password from the database and compare it with the password they have entered in using the password_verify function. If the passwords do not match when they actually do match then you are doing something wrong.