If I’m reading the logic correctly, it looks like the raw unhashed passwords are being stored in the database (This is insecure!), but then the password_verify function is being used “back to front” where by the user input is hashed, then compared against the raw password in the database.
So in effect the system is no more secure than the original version where raw password was compared to raw password.
This is the root of the problem, you are not working in a realistic environment. A system that stores unhashed passwords cannot be secure.
All passwords should be hashed before recording in the database.
When you have that you can check it with something along these lines:-
$stmt = $con->prepare('SELECT password AS hash FROM admin WHERE username = ?');
You may want to select other columns such as ID or whatever yo need, but the password is the one we need specifically to validate the login.
Once you have the hashed password from the database you check it like so:-
if(password_verify($userInputPassword, $hash)) {
// login is good
}
else{
// Login is bad !!
}