The following code snippet should not emit ‘MATCHED’ because the password ‘testtest’ does not match ‘testtesttest’, but does on PHP 7.4.3 for me. Am I doing something wrong?
<?php
$sPass = 'testtesttest';
$sSalt = hash('sha256','this is my salt');
$sShadow = password_hash($sSalt . $sPass,PASSWORD_BCRYPT);
echo (password_verify($sSalt . 'testtest',$sShadow) ? 'MATCHED' : 'nomatch');