/** * verify if the input password is correct * * @param string $username the string username * @param string $password the plaintext password * @param string $hash the password hash from the database * @param string &$rehash if password needs rehash, this variable is used * @return boolean */ function verifyPassword($username, $password, $hash, &$rehash) { if (!Hashing::isSupported()) { // modern hashing not supported return $hash === Validation::encryptCredentials($username, $password, false, true); } elseif (Hashing::needsRehash($hash)) { // update to new hashing algorithm $oldHash = Validation::encryptCredentials($username, $password, false, true); if ($oldHash === $hash) { // update hash $rehash = Validation::encryptCredentials($username, $password); return true; } } return Hashing::isValid($password, $hash); }