Index: ./modules/user/user.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/user/user.module,v
retrieving revision 1.703
diff -u -p -r1.703 user.module
--- ./modules/user/user.module	28 Oct 2006 15:13:41 -0000	1.703
+++ ./modules/user/user.module	29 Oct 2006 12:36:59 -0000
@@ -46,6 +46,7 @@ function user_load($array = array()) {
   // Dynamically compose a SQL query:
   $query = array();
   $params = array();
+  $passcheck = FALSE;
 
   foreach ($array as $key => $value) {
     if ($key == 'uid' || $key == 'status') {
@@ -53,8 +54,8 @@ function user_load($array = array()) {
       $params[] = $value;
     }
     else if ($key == 'pass') {
-      $query[] = "pass = '%s'";
-      $params[] = md5($value);
+      // Because we need the salt to calculate the pass we can only check the pass later
+      $passcheck = $value;
     }
     else {
       $query[]= "LOWER($key) = LOWER('%s')";
@@ -67,18 +68,27 @@ function user_load($array = array()) {
     $user = db_fetch_object($result);
     $user = drupal_unpack($user);
 
-    $user->roles = array();
-    if ($user->uid) {
-      $user->roles[DRUPAL_AUTHENTICATED_RID] = 'authenticated user';
-    }
+    // If the selection includes the key 'pass', we check it here
+    while ($passcheck && $user->pass != md5((string)$user->created.$passcheck) && $user = db_fetch_object($result)) {
+      $user = drupal_unpack($user);
+    }
+    if ($passcheck && $user->pass != md5((string)$user->created.$passcheck)) {
+      $user = FALSE;
+    } 
     else {
-      $user->roles[DRUPAL_ANONYMOUS_RID] = 'anonymous user';
-    }
-    $result = db_query('SELECT r.rid, r.name FROM {role} r INNER JOIN {users_roles} ur ON ur.rid = r.rid WHERE ur.uid = %d', $user->uid);
-    while ($role = db_fetch_object($result)) {
-      $user->roles[$role->rid] = $role->name;
+      $user->roles = array();
+      if ($user->uid) {
+        $user->roles[DRUPAL_AUTHENTICATED_RID] = 'authenticated user';
+      }
+      else {
+        $user->roles[DRUPAL_ANONYMOUS_RID] = 'anonymous user';
+      }
+      $result = db_query('SELECT r.rid, r.name FROM {role} r INNER JOIN {users_roles} ur ON ur.rid = r.rid WHERE ur.uid = %d', $user->uid);
+      while ($role = db_fetch_object($result)) {
+        $user->roles[$role->rid] = $role->name;
+      }
+      user_module_invoke('load', $array, $user);
     }
-    user_module_invoke('load', $array, $user);
   }
   else {
     $user = FALSE;
@@ -107,11 +117,13 @@ function user_save($account, $array = ar
   if ($account->uid) {
     user_module_invoke('update', $array, $account, $category);
 
-    $data = unserialize(db_result(db_query('SELECT data FROM {users} WHERE uid = %d', $account->uid)));
+    $result = db_fetch_array(db_query('SELECT data, created FROM {users} WHERE uid = %d', $account->uid));
+    $data = unserialize($result['data']);
+
     foreach ($array as $key => $value) {
       if ($key == 'pass' && !empty($value)) {
         $query .= "$key = '%s', ";
-        $v[] = md5($value);
+        $v[] = md5((string)$result['created'].$value);
       }
       else if ((substr($key, 0, 4) !== 'auth') && ($key != 'pass')) {
         if (in_array($key, $user_fields)) {
@@ -169,7 +181,7 @@ function user_save($account, $array = ar
       switch($key) {
         case 'pass':
           $fields[] = $key;
-          $values[] = md5($value);
+          $values[] = md5((string)$array['created'].$value);
           $s[] = "'%s'";
           break;
         case 'uid':        case 'mode':     case 'sort':