By the way, this reference is about wp-login.php in version 2.8.3.

function reset_password($key) {
    global $wpdb;

    $key = preg_replace('/[^a-z0-9]/i', '', $key);

    if ( empty( $key ) )
        return new WP_Error('invalid_key', __('Invalid key'));

    $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE
user_activation_key = %s", $key));
    if ( empty( $user ) )
        return new WP_Error('invalid_key', __('Invalid key'));
...[snip]....
line 276:
$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
$errors = new WP_Error();

if ( isset($_GET['key']) )
    $action = 'resetpass';

// validate action so as to default to the login screen
if ( !in_array($action, array('logout', 'lostpassword', 'retrievepassword',
'resetpass', 'rp', 'register', 'login')) && false ===
has_filter('login_form_' . $action) )
    $action = 'login';
...[snip]....

line 370:

and now in 2.9.1 (i use it as reference), above part code has change into

function reset_password($key, $login) {
     global $wpdb;
     $key = preg_replace('/[^a-z0-9]/i', '', $key);
     if ( empty( $key ) || !is_string( $key ) )
          return new WP_Error('invalid_key', __('Invalid key'));
     if ( empty($login) || !is_string($login) )
          return new WP_Error('invalid_key', __('Invalid key'));
     $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users
          WHERE user_activation_key = %s AND user_login = %s", $key, $login));
     if ( empty( $user ) )
          return new WP_Error('invalid_key', __('Invalid key'));

     // Generate something random for a password…
     $new_pass = wp_generate_password();
     do_action('password_reset', $user, $new_pass);

     wp_set_password($new_pass, $user->ID);
     update_usermeta($user->ID, 'default_password_nag', true); 

     //Set up the Password change nag.

     $message = sprintf(__('Username: %s'), $user->user_login) . "rn";
     $message .= sprintf(__('Password: %s'), $new_pass) . "rn";
     $message .= site_url('wp-login.php', 'login') . "rn";

     // The blogname option is escaped with esc_html on the way into
     // the database in sanitize_option
     // we want to reverse this for the plain text arena of emails.

     $blogname = wp_specialchars_decode(get_option('blogname'), ENT_QUOTES);
     $title = sprintf(__('[%s] Your new password'), $blogname);

     $title = apply_filters('password_reset_title', $title);
     $message = apply_filters('password_reset_message', $message, $new_pass);

     if ( $message && !wp_mail($user->user_email, $title, $message) )
          die('

' . __('The e-mail could not be sent.') . "n" . __('Possible reason:
               your host may have disabled the mail() function…') . '

');

     wp_password_change_notification($user);
     return true;
}

case 'resetpass' :
case 'rp' :
      $errors = reset_password($_GET['key'], $_GET['login']);
      if ( ! is_wp_error($errors) ) {
            wp_redirect('wp-login.php?checkemail=newpass');
            exit();
      }
      wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
      exit();
      break;

Now it able to close this vulnerability. It previous 2.8.3, the person who want to hack the website use

http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=

and its very clever. But after the version 2.9.3, the reset_password need 2 argument before it work. And it has ability to sanitized both argument. Hmm seem good.

Long time ago, i have done coding login / registration algorithm and its looks similar with 2.8.3 version eventhough it use in lates wordpress version. The website need custom registration page with various hard coded meta field. Some yada yada and It’s not hidden behind ssl. So, i’m worry. Maybe i need to contact them if time permit.

Right now, at least, i can understand it why some people said that wordpress is a badly written software. Ah, i really don’t care how bad wordpress written. For me, it’s the most something similar to a piece of rainbow. It put food on the table. So i will work on it as long as i can. ;)

By the way, I manage to make the client satisfied with other category-related custom. I make category panel in dashboard only show parent directory as he request it. So, this will make the panel only show category that he want it. I don’t know why he need something like this. But see no evil hear no evil, your wish is my command. i do it anyway.

bytheway, anybody who need this, shall put above code in functions.php

add_action('get_terms', 'bk_show_cat_parent_only'); 

function bk_show_cat_parent_only($cat) {
	if (is_admin()) {
		$hasil = array();		

		$default_cat = get_option('default_category');

		foreach ($cat as $cat_object) {
		    if (($cat_object->parent) == 0 && ($cat_object->term_id) != $default_cat )
			 $hasil = array_merge ($hasil, array ($cat_object));
			 // FIXME : Count the object --> add filter to
			 // 'edit_categories_per_page'
			 // as much as count
 		}

		return $hasil;
	} else {
		return $cat;
	}
}

This article describe how wp coder has culture not to use OOP (Object Oriented Programming), a way of code that can be describe as the better way of coding. This has been use in java, C++, and PHP 5. But because of, wp still support any installation on server with PHP 4…. (the rest of this topic i still struggle to comprehend)

Frankly, before reading this article, i got this low esteem as somebody who learn PHP the wrong way. My friend and ex-coworker, call me, Banci aka Karbit coder – somebody who learn Wordpress first then try to learn advance PHP. So, most of the time, i follow my coding habit : I don’t encapsulate my functions in class. i don’t do fancy dancing. I just solve problem. period.

I do custom to solve problem fast and don’t really consider any redesign, recustom, or refactor. Most of the time, what i do, is bent wordpress and not utilized it or fork it with light-weight PHP framework like Codeigniter or similar CMS.

This lack of future proof on understanding that shit can pour anytime soon mentality covers by my good habit to put detail description on comment section. Every tiny process will be explain. I also always explain about the argument, the return value, and the debug output if available. And, i seperate my custom in several file to localized its feature.

I believe i follow the right way to make my code easy to understand. But still, i don’t do class. i’m a karbit. i understand wp more then PHP. (Damm you pepa!). If somebody ask me to read a file, i prefer wp class (such as filereader and streamreader), rather then php built-in function. I’m a karbit.

Honestly, i like to read otto (ottodestruct.com) blog. He’s one of my wp hero. I learn a lot from reading his plugin. So i got this stupid expression when he said that most of the time OOP in wp plugin is waste of time :

The big problem with OOP techniques is that people who have just learned them tend to want to use them everywhere, even where it makes no sense. A WordPress plugin is, generally, a place where it makes absolutely no sense to do so.

I know it’s true. But sometimes it hard to explain this to others. Just with pepa, we have a very different style of coding and preference. We do our part the way we like. My part mostly procedural and rarely has class. While Pepa has the opposite. But fuck shit, it work!

UPDATE : Otto has new site about wordpress, ottopress.com. It seem his migrate his more technical stuff there. I definitely will come time to time to find some inspiration.