首先，您只需要使用"WHERE username =".进行请求时，您无需检查密码.

First of all, you only have to use "WHERE username =". You don't have to check the password when you do the request.

第二，您必须验证密码.

Secondly, you have to verify the password.

最后，您还应该使用准备好的语句，这更安全.

Finally, you should also used prepared statements, it's more secure.

因此，您的代码应如下所示(提供的代码可能无法按原样使用，但您可以对其进行调整以获取所需的结果，并阅读文档以了解准备好的语句以及password_verify的工作原理):

So, your code should look like this (the code provided may not be usable as is but you can tweak it to get the result that you want and read the doc to understand prepared statements and how password_verify works):

$sql = "SELECT * FROM table2 WHERE username = :username";
$request = $conn->prepare($sql);
$request->execute([":username" => $_POST["username"]]);  
$user = $request->fetchAll()[0];

if(password_verify($_POST["password"], $user->password)){
    //user is logged in
}else{
    //password is wrong
}