user_pass) == $password) || ($login->user_login == $username && $login->user_pass == md5($password)) ) // where $login->user_login comes from get_userdatabylogin() // We replace the original pluggable function get_userdatabylogin // with the following, // where the only difference is my liberal use of sanitize_user() if ( !function_exists('get_userdatabylogin') ) : function get_userdatabylogin($user_login) { global $wpdb; // AA this sanitize_user came from the original source $user_login = sanitize_user( $user_login ); if ( empty( $user_login ) ) return false; $userdata = wp_cache_get($user_login, 'userlogins'); if ( $userdata ) { //AA next line is new $userdata->user_login = sanitize_user( $userdata->user_login ); return $userdata; } if ( !$user = $wpdb->get_row("SELECT * FROM $wpdb->users WHERE user_login = '$user_login'") ) return false; //AA next line is new $user->user_login = sanitize_user( $user->user_login ); $wpdb->hide_errors(); $metavalues = $wpdb->get_results("SELECT meta_key, meta_value FROM $wpdb->usermeta WHERE user_id = '$user->ID'"); $wpdb->show_errors(); if ($metavalues) { foreach ( $metavalues as $meta ) { $value = maybe_unserialize($meta->meta_value); $user->{$meta->meta_key} = $value; // We need to set user_level from meta, not row if ( $wpdb->prefix . 'user_level' == $meta->meta_key ) $user->user_level = $meta->meta_value; } } // For backwards compat. if ( isset($user->first_name) ) $user->user_firstname = $user->first_name; if ( isset($user->last_name) ) $user->user_lastname = $user->last_name; if ( isset($user->description) ) $user->user_description = $user->description; wp_cache_add($user->ID, $user, 'users'); wp_cache_add($user->user_login, $user, 'userlogins'); return $user; } endif; ?>