// login.php
$stmt = $conn->prepare("SELECT * FROM users WHERE username = ?");
$stmt->bind_param("s", $_POST['username']);
$stmt->execute();
$user = $stmt->get_result()->fetch_assoc();

if (password_verify($_POST['password'], $user['password'])) {
  session_start();
  $_SESSION['user'] = $user;
  header("Location: index.php");
}