So if you’re running wordpress and you have your username as “Jordan” and you login with the username “jordan” it will tell you that your password is incorrect, even though it’s your account that’s wrong. If you login with jordan1 it will tell you the username is wrong. Oops.
Apparently there’s been a fix in the bug tracking system since Feb 2005. And yet it hasn’t actually made it into any of the published source for quite some time. I wonder why — the example works fine for me. In WordPress 2.0.2, the code is moved around a bit. Edit the function get_userdatabylogin in wp-includes/pluggable-functions.php on the following line:
if ( !$user = $wpdb->get_row("SELECT * FROM $wpdb->users WHERE user_login = '$user_login'") )
And just add the word BINARY after the WHERE.
Voila — now if you get the username wrong you’ll actually be informed that you got the username wrong. It looks like the BINARY operator has been around since at least MySQL 4.1 (probably much longer), but of course, YMMV.
Thank you for posting this. How can this also be fixed for the password recovery?
Left by Jan on February 2nd, 2007