Login page returns wrong error message

[TigerDE2]

When providing a user name that exists but written with a different capital, WP returns "Wrong Password". (Even if the password is correct.) It should return "Wrong Login" or it should treat it as case insensitive and log you in.

WP-1.5.1.1 running on Apache-2.0.53(Win32)/PHP-4.3.10/MySql-4.1.11. wp-includes/pluggable-functions.php line 84. Still in latest version in the svn repo.

Caused by the way string comparisons are handled in MySql and PHP. PHP is case sensitive. MySql case insensitive.  See user comments in MySql docs

MySql will return 'admin' if you search for 'ADMIN' and vice versa. So the first test passes because mysql returns a result, but then the second test fails because 'admin' != 'ADMIN' giving the wrong error message.

Code section from repo.

$login = $wpdb->get_row("SELECT ID, user_login, user_pass FROM $wpdb->users WHERE user_login = '$username'");

	if (!$login) {
		$error = __('<strong>Error</strong>: Wrong username.');
		return false;
	} else {
		// If the password is already_md5, it has been double hashed.
		// Otherwise, it is plain text.
		if ( ($already_md5 && $login->user_login == $username && md5($login->user_pass) == $password) || ($login->user_login == $username && $login->user_pass == md5($password)) ) {
			return true;
		} else {
			$error = __('<strong>Error</strong>: Incorrect password.');
			$pwd = '';
			return false;
		}
	}

Proposed fix: edit the SQL statement to include BINARY operator.

$login = $wpdb->get_row("SELECT ID, user_login, user_pass FROM $wpdb->users WHERE BINARY user_login = '$username'");

Should test in the lowest supported version of MySql. I made the change on my local version without problems.

Can we get this into 1.6? Usernames should definitely be case-insensitive.

Making usernames case-insensitive could cause backwards-compatibility problems; also, anyone who wants to make usernames case-insensitive just needs to use the 'sanitize_user' filter hook.