Password input check in wp_user_update()

  • Resolved angarf

    (@angarf)


    11 months ago

    ¿Does anyone knows why password equality checks is made without using wp_check_password to compare $userdata[‘user_pass’] and $user_obj->user_pass?

    Not so bad, but if the password coming from $userdata ‘user_pass’] is in fact the one present in db, then the following check is wrong:
    if ( ! empty( $userdata['user_pass'] ) && $userdata['user_pass'] !== $user_obj->user_pass ) {

    The passwords are the the same but $userdata[‘user_pass’] is in clear text and $user_obj->user_pass is hashed.


    This behaviour got me crazy fo some hours until i realized that the code is this way. If the check is done with password in clear text and password hashed, this equality check is pointless. ¿Why not to use the following instead?

    if ( ! empty( $userdata['user_pass'] ) && ! wp_check_password( $userdata['user_pass'], $user_obj->user_pass ) {

    For sure is something i missed. ¿Does anyone knows why this is this way?

    • This topic was modified 11 months ago by angarf.
    • This topic was modified 11 months ago by angarf.
    • This topic was modified 11 months ago by angarf.
Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator bcworkz

    (@bcworkz)

    10 months, 4 weeks ago

    In some contexts, wp_update_user() could be passed $userdata[‘user_pass’] as the password hash and not plain text. For example, when updating other user data besides their password, you’d first get the current data, alter which ever fields you need to, then pass it all to wp_update_user(). Since $userdata came from the DB, $userdata[‘user_pass’] would already be hashed and we wouldn’t want to hash the hash 🙂 Thus we need to confirm that $userdata[‘user_pass’] !== $user_obj->user_pass, indicating we’re updating the password from plain text and it does need to be hashed.

    Thread Starter angarf

    (@angarf)

    10 months, 3 weeks ago

    Many thanks, for your explanation. From my point of view it’s a bit confusing this duality without explicit telling the method the password hashing status. Anyway, now everything has sense. Now i understand. Many tahnks.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Password input check in wp_user_update()’ is closed to new replies.