<?php

try {
  $user = get_user_from_database($emailFromLoginForm); // pseudo

  if ($user->password === md5($plainTextPasswordFromLoginForm)) {
    // We've identified that the password in the database is a md5 hash, so
    // we'll salt and hash the plain-text password and save it
    $saltedPassword = password_hash($plainTextPasswordFromLoginForm, PASSWORD_DEFAULT);
    $user->password = $saltedPassword; // pseudo
    $user->save(); // pseudo
  }
  if (!password_verify($password, $user->password)) {
    throw new LoginException('Invalid password.');
  }
  return true;
} catch (LoginException $e) {
  log('debug', $e->getMessage());
  return false;
}