String comparison for anything not starting with dollar (which identifies
all modern crypts) to keep originals for later resend (deliberate user
friendliness over security).
# verify password
$authhash = md5($usertest);
if (isset($inpass)) {
- if (!password_verify($inpass, $usertest)) return;
+ if (substr($usertest, 0, 1) == '$') {
+ if (!password_verify($inpass, $usertest)) return;
+ }
+ else {
+ if ($inpass !== $usertest) return;
+ }
}
else {
if ($inauth !== $authhash) return;