only update hash if password matches, fixes #1479

Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>

lib/functions/validate/function.validatePasswordLogin.php

@@ -60,19 +60,20 @@ function validatePasswordLogin($userinfo = null, $password = null, $table = 'pan
 		}
 	}
 
-	// check for update of hash
-	if ($update_hash) {
-		$upd_stmt = Database::prepare("
-			UPDATE " . $table . " SET `password` = :newpasswd WHERE `" . $uid . "` = :uid
-		");
-		$params = array (
+	if ($pwd_hash == $pwd_check) {
+
+		// check for update of hash
+		if ($update_hash) {
+			$upd_stmt = Database::prepare("
+				UPDATE " . $table . " SET `password` = :newpasswd WHERE `" . $uid . "` = :uid
+			");
+			$params = array (
 				'newpasswd' => makeCryptPassword($password),
 				'uid' => $userinfo[$uid]
-		);
-		Database::pexecute($upd_stmt, $params);
-	}
+			);
+			Database::pexecute($upd_stmt, $params);
+		}
 
-	if ($pwd_hash == $pwd_check) {
 		return true;
 	}
 	return false;