Ticket #954 (closed defect (bug): wontfix)

Opened 4 years ago

Last modified 2 years ago

Login page returns wrong error message

Reported by: TigerDE2 Assigned to: anonymous
Priority: normal Milestone:
Component: General Version: 1.5
Severity: minor Keywords:
Cc:

Description

When providing a user name that exists but written with a different capital, WP returns "Wrong Password". (Even if the password is correct.) It should return "Wrong Login" or it should treat it as case insensitive and log you in.

Change History

02/23/05 12:42:14 changed by TigerDE2

  • Patch set to No.

06/02/05 01:53:37 changed by sdanelson

WP-1.5.1.1 running on Apache-2.0.53(Win32)/PHP-4.3.10/MySql-4.1.11. wp-includes/pluggable-functions.php line 84. Still in latest version in the svn repo.

Caused by the way string comparisons are handled in MySql? and PHP. PHP is case sensitive. MySql? case insensitive. See user comments in MySql docs

MySql? will return 'admin' if you search for 'ADMIN' and vice versa. So the first test passes because mysql returns a result, but then the second test fails because 'admin' != 'ADMIN' giving the wrong error message.

Code section from repo. 

$login = $wpdb->get_row("SELECT ID, user_login, user_pass FROM $wpdb->users WHERE user_login = '$username'");

	if (!$login) {
		$error = __('<strong>Error</strong>: Wrong username.');
		return false;
	} else {
		// If the password is already_md5, it has been double hashed.
		// Otherwise, it is plain text.
		if ( ($already_md5 && $login->user_login == $username && md5($login->user_pass) == $password) || ($login->user_login == $username && $login->user_pass == md5($password)) ) {
			return true;
		} else {
			$error = __('<strong>Error</strong>: Incorrect password.');
			$pwd = '';
			return false;
		}
	}

Proposed fix: edit the SQL statement to include BINARY operator. 

$login = $wpdb->get_row("SELECT ID, user_login, user_pass FROM $wpdb->users WHERE BINARY user_login = '$username'");

Should test in the lowest supported version of MySql?. I made the change on my local version without problems.

08/21/05 02:50:20 changed by seth

Can we get this into 1.6? Usernames should definitely be case-insensitive.

08/30/06 06:13:30 changed by filosofo

  • status changed from new to closed.
  • resolution set to wontfix.

Making usernames case-insensitive could cause backwards-compatibility problems; also, anyone who wants to make usernames case-insensitive just needs to use the 'sanitize_user' filter hook.