So we are using a couple of custom things in our WP and one of them is a PW-Recovery form. Using this internally we’re setting the password with
wp_set_password($password, $userId)
Lately we realised a problem with passwords containing the apostrophe character "
Setting a password with this will leave the user unable to log in using the same password that was just set. We have applied nothing to the login process and I can verify that the correct password is entered into the wp_set_password()
function as well as the login form.
Any pointers as to where I can look for potential errors would be great. Thank you for your time.
Update 1
Using wp_signon()
the user is able to login using the password Test"123
Using wp-login.php?page=login
and entering the password Test"123
will not work
currently looking for all the filters that could potentionally interfere with this…
Update 2
Looks to me like an undocumented wordpress feature / bug?
All plugins have been deactivated. The unmodified theme twentefifteen
has been used. Changing the password using wp_set_password()
changes the PW in the database. However using a password with "
or '
will result you being unable to login using wp-login.php
. It will give you invalid credentials error.
However using the same login data and wp_signon()
it works. I’m just clueless, probably forwarding to wp bug forums.
Update 3
I am using this plugin snipped to reset and test the login.
function resetLogin() {
// wp_set_password('Test"123', 1);
wp_update_user([
'ID' => 1,
'user_pass' => 'Test"123'
]);
}
//add_action('after_setup_theme', 'resetLogin');
function testLogin() {
var_dump(wp_signon([
'user_login' => 'admin',
'user_password' => 'Test"123',
'remember' => true
], false));
}
//add_action('after_setup_theme', 'testLogin');
To test I am commenting in the add_action – resetLogin once, and deactivate it immediately again before doing anything on the page. This then immediately breaks the login on wp-login.php
2 Answers
The resolution is pretty simply. Those functions require the passwords to be properly escaped. So
Instead of this:
wp_set_password('Test"123', $userId);
You have to do this:
wp_set_password(wp_slash('Test"123'), $userId);
The same goes for wp_update_user()
and wp_signon()
. Further information and updates on the docs may be visible from this bug report:
- https://core.trac.wordpress.org/ticket/34297#ticket