https://codereview.stackexchange.com/ 对于像这样的事情来说会更好。这是完全不清楚你究竟在问什么，因此我只是重构了你的PHP代码，并希望这可以帮助。

https://codereview.stackexchange.com/ would be a better place for stuff like this. It's absolutely unclear what you're actually asking, therefore I just refactored your PHP code and hope this might help.

<?php

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

$username = filter_input(INPUT_POST, "username", FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW);
$password = filter_input(INPUT_POST, "password", FILTER_UNSAFE_RAW);

if ($username && $password) {
  try {
    $connection = new \mysqli("localhost", "root", "password", "database");
    $stmt = $connection->prepare("SELECT `id`, `password` FROM `personal` WHERE `username` = ? LIMIT 1");
    $stmt->bind_param("s", $username);
    $stmt->execute();
    $stmt->bind_result($id, $hash);
    $found = $stmt->fetch();
    if ($found === true && password_verify($password, $hash)) {
      session_start();
    }
    else {
      echo "We either don't know the username or the password was wrong.";
    }
    $stmt->close();
    $connection->close();
  }
  catch (\mysqli_sql_exception $e) {
    echo "An error ocurred while communicating with the database, please hang in there until it's fixed.";
  }
}
else {
  echo "Please enter a username and a password.";
}

• 使用异常而不是检查返回值每个函数和/或调用其他方法。
  
• 使用面向对象的代码以提高可读性。
  
• 使用预准备语句确保没有可能的SQL注入。


• 使用PHP内置的密码功能。
>

• 使用PHP的内置过滤器函数。


• 不要告诉客户真的出了什么问题（未知用户名和/或错误密码）。


• Use exceptions instead of checking the returned values of each function and/or calling additional methods.
• Use object oriented code for better readability.
• Use prepared statements to ensure that no SQL injection is possible.
• Use PHP's built-in password functions.
• Use PHP's built-in filter functions.
• Don't tell the client what really went wrong (unknown username and/or wrong password).