When logging in to a site with wrong user/password credentials, the displayed error is most generally a generic "username or password is incorrect". Looking into some PHP code that handles such login I found a MYSQL request constrained on both the user id and the password hash, making it indeed impossible to determine which of the strings was wrong if the request returns nothing.
Is there some security principle that explains why sites don't rather search for the username, and then match the password, and also why they don't make error messages more specific ("Username not known", "Incorrect password")?