diff --git a/login.php b/login.php
index 7e23321..30c2008 100644
--- a/login.php
+++ b/login.php
@@ -24,48 +24,67 @@ if (!$conn) {
 $loginError = null;
 
 if ($_SERVER['REQUEST_METHOD'] === 'POST') {
-    $uname = isset($_POST['uname']) ? $_POST['uname'] : '';
+    $uname = trim(isset($_POST['uname']) ? $_POST['uname'] : '');
     $pw    = isset($_POST['pw']) ? $_POST['pw'] : '';
 
     // Basic Validierung
     if ($uname === '' || $pw === '') {
         $loginError = "Bitte Username und Passwort eingeben.";
-    }
-    else {
-        // Login ist SELECT, nicht INSERT
-        $stmt = mysqli_prepare($conn, "SELECT id, pw FROM user WHERE un = ?");
-        mysqli_stmt_bind_param($stmt, "s", $uname);
-        mysqli_stmt_execute($stmt);
-        $result = mysqli_stmt_get_result($stmt);
+    } else {
+        // Login ist SELECT, mit Prepared Statement (sicher) und ?-Platzhalter
+        $stmt = mysqli_prepare(
+                $conn,
+                "SELECT displayName, passwordHash FROM users WHERE displayName = ? LIMIT 1"
+        );
 
-        $user = $result ? mysqli_fetch_assoc($result) : null;
+        if (!$stmt) {
+            $loginError = "Datenbankfehler.";
+        } else {
+            mysqli_stmt_bind_param($stmt, "s", $uname);
+            mysqli_stmt_execute($stmt);
 
-        // Falls du Passwörter gehasht speicherst: password_verify($pw, $user['pw'])
-        // Wenn aktuell Klartext (nicht empfohlen): $pw === $user['pw']
-        if ($user && $pw === $user['pw']) {
-            $_SESSION['user_id'] = (int)$user['id'];
-            $_SESSION['username'] = $uname;
+            $result = mysqli_stmt_get_result($stmt);
+            $user = $result ? mysqli_fetch_assoc($result) : null;
 
-            mysqli_close($conn);
-            header("Location: index.php");
-            exit;
+            // Passwort prüfen: Eingabe gegen gespeicherten Hash (password_hash/password_verify)
+            if ($user && password_verify($pw, $user['passwordHash'])) {
+                // Optional: Rehash, falls Algorithmus/Cost geändert wurde
+                if (password_needs_rehash($user['passwordHash'], PASSWORD_DEFAULT)) {
+                    $newHash = password_hash($pw, PASSWORD_DEFAULT);
+                    $upd = mysqli_prepare($conn, "UPDATE user SET passwordHash = ? WHERE id = ?");
+                    if ($upd) {
+                        $id = (int)$user['id'];
+                        mysqli_stmt_bind_param($upd, "si", $newHash, $id);
+                        mysqli_stmt_execute($upd);
+                        mysqli_stmt_close($upd);
+                    }
+                }
+
+                $_SESSION['user_id']     = (int)$user['id'];
+                $_SESSION['username']    = $user['un'];
+                $_SESSION['displayName'] = $user['displayName'];
+
+                mysqli_stmt_close($stmt);
+                mysqli_close($conn);
+
+                header("Location: index.php");
+                exit;
+            }
+
+            $loginError = "Ungültige Zugangsdaten.";
+            mysqli_stmt_close($stmt);
         }
-
-        $loginError = "Ungültige Zugangsdaten.";
     }
 }
+
+include 'header.php';
 ?>
-
-<?php include 'header.php'; ?>
-
-<!-- Hinweis: header.php öffnet bereits <!DOCTYPE html>, <html>, <head> und <body>. -->
 <link rel="stylesheet" href="assets/css/login.css">
 
 <main class="auth" role="main">
     <section class="auth__grid" aria-label="Login Bereich">
         <div class="auth__card">
             <header class="auth__header">
-
                 <h2 class="auth__title">Login</h2>
                 <p class="auth__subtitle">Melde dich an, um deine Wunschliste zu verwalten und Deals schneller zu speichern.</p>
             </header>
@@ -95,7 +114,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
                 <p class="auth__muted"><a href="index.php">Zurück zur Startseite</a></p>
             </div>
         </div>
-
     </section>
 </main>
 
@@ -103,5 +121,3 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
 mysqli_close($conn);
 include 'footer.php';
 ?>
-
-<!-- footer.php schließt </body> und </html> -->