Hash Password nicht zu dem, was es sein sollte (PHP)

Question

Also ich versuche, ein ziemlich einfaches Login-System zu machen, aber aus irgendeinem Grund Hash-Passwort, das an meine Datenbank gesendet wird, Hashing nicht korrekt. Ich habe meine Datenbank überprüft und das gespeicherte Passwort ist nicht das, was der sha256-Hash mit dem generierten Salto angehängt hat, ist nicht das, was es sein soll. Hier ist mein Code, um den Hash zu erzeugen, die in die Datenbank hochgeladen hat wird:

<?php 
include "connection.php"; 
//Check Connection 
if ($connect->connect_error) { 
    echo "Failed to connect to server: " . mysqli_connect_error(); 
} 

//Reset all Checks 
$username_exists = NULL; 
$email_valid = NULL; 
$passwords_match = NULL; 
$password_acceptable = NULL; 
$password_long_enough = NULL; 
$password = NULL; 

//Prepare Statements 
    //Check for Username Existing Statement 
    $check_username_match = $connect->stmt_init(); 
    $sql_check_username = "SELECT id FROM $tablename WHERE username=?"; 
    $check_username_match->prepare($sql_check_username); 
    $check_username_match->bind_param("s", $username); 

    //Insert Into Table Statement 
    $register_query = $connect->stmt_init(); 
    $sql_register = "INSERT INTO $tablename (username, email, password, token, active, level) VALUES (?, ?, ?, ?, ?, ?)"; 
    $register_query->prepare($sql_register); 
    $register_query->bind_param("sssssi", $username, $email, $hashedpassword, $token, $activated, $level); 

//Execute When Form Submitted 
if($_SERVER["REQUEST_METHOD"] == "POST") { 
    $username = mysqli_escape_string($connect, $_POST['username']); 
    $email = mysqli_escape_string($connect, $_POST['email']); 
    $password = $_POST['password']; 
    $confirm_password = $_POST['confirm_password']; 

    //Check if Username Exists 
    $check_username_match->execute(); 
    $check_username_match->store_result(); 
    $numrows = $check_username_match->num_rows; 
    if ($numrows==0){ 
     $username_exists = false; 
    } else { 
     $username_exists=true; 
    } 

    //Check if Passwords Match 
    if ($password==$confirm_password){ 
     $passwords_match = true; 
    } else { 
     $passwords_match = false; 
    } 

    //Check if Email Address is Valid 
    if (filter_var($email, FILTER_VALIDATE_EMAIL)) { 
     $email_valid = true; 
    } else { 
     $email_valid = false; 
    } 

    //Check if Passwords Contains Special Characters 
    $uppercase = preg_match('@[A-Z]@', $password); 
    $lowercase = preg_match('@[a-z]@', $password); 
    $number = preg_match('@[0-9]@', $password); 
    //Check if Password is Long Enough 
    $password_length = strlen($password); 
    if ($password_length>8){ 
     $password_long_enough = true; 
    } else { 
     $password_long_enough = false; 
    } 

    //Validate Password 
    if(!$uppercase || !$lowercase || !$number || !$password_long_enough || $password = '') { 
     $password_acceptable = false; 
    } else { 
     $password_acceptable = true; 
    } 

    //Register if all Validations Met 
    if(!$username_exists && $email_valid && $passwords_match && $password_acceptable){ 
     //$salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647)); 
     $token = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647)); 
     $activated="No"; 
     $level = 0; 
     $hashedpassword = password_hash($password, PASSWORD_DEFAULT); 
     $register_query->execute(); 
     $message = "Hello, welcome to the site.\r\n\r\nPlease click on the following link to activate your account:\r\nlocalhost/login_system/activate.php?token=".$token; 
     mail($email, 'Please Activate Your Account', $message); 
     header("Location: login.php"); 
    } 
} 
?> 

UPDATE: Ich meine obigen Code geändert, um die Änderungen widerzuspiegeln ich mit password_hash gemacht. Das Problem besteht jedoch weiterhin.

Dies ist die Anmeldungs ​​php:

<?php 
include("connection.php"); 
session_start(); 
//Reset Variables 
$message = ''; 
$location = "/login_system/index.php"; //default location to redirect after logging in 
$username = ''; 
$password = ''; 

//Check to see if user is newly activated; if he is display a welcome message. 
    if(isset($_GET['activated'])){ 
     if($_GET['activated'] == "true"){ 
      $message = "Thank you for verifying your account. Please login to continue."; 
     } 
    } 

//Check to see if user is coming from another page; if he is then store that page location to redirect to after logging in. 
if(isset($_GET['location'])) { 
    $location = htmlspecialchars($_GET['location']); 
} 

echo $location; 

//Prepare login check statement 
    $check_login = $connect->stmt_init(); 
    $sql = "SELECT id, password FROM $tablename WHERE username=?"; 
    $check_login->prepare($sql); 
    $check_login->bind_param("s", $username); 

//Execute Login Check 
    if($_SERVER["REQUEST_METHOD"] == "POST") { 
     $username = mysqli_escape_string($connect, $_POST['username']); 
     $password = $_POST['password']; 
     $check_login->execute(); 
     $check_login->store_result(); 
     $numrows = $check_login->num_rows; 
     $check_login->bind_result($id, $match); 
     $check_login->fetch(); 
     if ($numrows==1 && password_verify($password, $match)) { 
      $_SESSION['login_user'] = $id; 
      $goto = "localhost".$location; 
      header("location: $goto"); 
      $message = "Success!"; 
     } else { 
      $message="Username or password is not valid."."<br>".$match."<br>"; 
     } 
    } 
    $connect->close(); 
?> 

Answer 1

Sie sollten nur das Passwort füttern Sie in PHP password_hash(); Funktion Hash möchten. Wie so ...

$password = $_POST['password']; 

$options = [ 
    'cost' => 12, 
]; 
echo password_hash($password, PASSWORD_BCRYPT, $options); 

Dann, wenn Sie möchten, überprüfen, ob das Passwort in der Datenbank vorhanden ist password_verify(); Wie so verwenden ...

$password = PASSWORD_HERE; 
$stored_hash = HASH_HERE; 

if (password_verify($password, $stored_hash)) { 
    echo 'Password is valid!'; 
} else { 
    echo 'Invalid password.'; 
}