WordPress.org

Make WordPress Core

Opened 7 weeks ago

Last modified 7 weeks ago

#43957 new enhancement

check_password_reset_key could use get_user_by instead of direct query

Reported by: thomaslhotta Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.9.5
Component: Login and Registration Keywords:
Focuses: Cc:

Description

Hi

Just noticed, that check_password_reset_key is one of only a few functions making a direct query to the users table. Wouldn't it be more consistent to use the get_user_by function here. I came across this because I am replacing the get_user_by function with my own. Not being able to hook into the user retrieval in check_password_reset_key forces me to take a rather hackish approach by using the 'query' filter.

I cannot see any advantages of making a direct query aside from bypassing the object cache. Maybe there is a security concern that I am not aware of?

Change History (1)

#1 @subrataemfluence
7 weeks ago

To my understanding, direct database queries are mainly used when we intend to pull values from one or more columns in a table which are indexed in order to gain more speed. In wp_users table the indexed columns are:

ID, user_login, user_nicename and user_email.

Since check_password_reset_key function deals with user_login column, probably that's the reason a direct database query is used.

Note: See TracTickets for help on using tickets.