From 4d60b191940d9c7740d521ddbaf85f0623a17001 Mon Sep 17 00:00:00 2001
From: "Michael Kaufmann (d00p)" <d00p@froxlor.org>
Date: Sat, 31 Jan 2015 12:51:20 +0100
Subject: [PATCH] only update hash if password matches, fixes #1479

Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>
---
 .../function.validatePasswordLogin.php        | 21 ++++++++++---------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/lib/functions/validate/function.validatePasswordLogin.php b/lib/functions/validate/function.validatePasswordLogin.php
index 4b7ccc03..599809ae 100644
--- a/lib/functions/validate/function.validatePasswordLogin.php
+++ b/lib/functions/validate/function.validatePasswordLogin.php
@@ -60,19 +60,20 @@ function validatePasswordLogin($userinfo = null, $password = null, $table = 'pan
 		}
 	}
 
-	// check for update of hash
-	if ($update_hash) {
-		$upd_stmt = Database::prepare("
-			UPDATE " . $table . " SET `password` = :newpasswd WHERE `" . $uid . "` = :uid
-		");
-		$params = array (
+	if ($pwd_hash == $pwd_check) {
+
+		// check for update of hash
+		if ($update_hash) {
+			$upd_stmt = Database::prepare("
+				UPDATE " . $table . " SET `password` = :newpasswd WHERE `" . $uid . "` = :uid
+			");
+			$params = array (
 				'newpasswd' => makeCryptPassword($password),
 				'uid' => $userinfo[$uid]
-		);
-		Database::pexecute($upd_stmt, $params);
-	}
+			);
+			Database::pexecute($upd_stmt, $params);
+		}
 
-	if ($pwd_hash == $pwd_check) {
 		return true;
 	}
 	return false;