Simply take what the user provides, and use the select statement to grab only rows containing that hash with that userid; then there would be no security issue as any rows not matching said userid/pass would return no rows.
As the password is already stored encoded, you wouldn't be sending an unencoded password to the database, it wouldn't SEE the password unencoded...