Page 1 of 3

2.9.0 logs

Posted: Sat Aug 17, 2024 1:26 pm
by axew3
file wp_w3all.php

Code: Select all

function wp_check_password($password, $hash, $user_id = '') {
line

Code: Select all

$wpu = get_user_by( 'ID', $user_id );
when called at the time that an user has been just created, like it is on

Code: Select all

public static function w3_check_phpbb_profile_wpnu($username){ 
on class.wp.w3all-phpbb.php
so the situation where, for example, a non existent user in WP, but existing in phpBB, come to login into wordpress:
at this time, the function

Code: Select all

public static function w3_check_phpbb_profile_wpnu($username){ 

fire the WP user insertion, so insert the user into WP, but into this function, so, the just created user is created with an hash that is an hash of the hash phpBB password.
So the function follow on updating to the right one of the phpBB user executing a db update.

But anyway, the problem is, that the instance of the user, is the one created by the
wp_insert_user inside

Code: Select all

public static function w3_check_phpbb_profile_wpnu($username){ 

so doing this

Code: Select all

$wpu = get_user_by( 'ID', $user_id );
inside the wp_check_password function
will get the wrong password of the instanced user object, and not the updated one.

The provided fix will be:

this line on wp_w3all.php

Code: Select all

$wpu = get_user_by( 'ID', $user_id );
will be removed into the wp_check_password function (so the user pass is retrieved directly from the db and not the instanced user object)
then on class.wp.w3all-phpbb.php the

Code: Select all

public static function w3_check_phpbb_profile_wpnu($username){ // email/user_login
will be changed/updated to be this:

Code: Select all

public static function w3_check_phpbb_profile_wpnu($username){ // email/user_login

 if( defined('W3ALL_WPNU_CKU') OR empty($username) ): return; endif;
  global $w3all_phpbb_connection,$w3all_config,$wpdb,$w3all_oninsert_wp_user,$w3all_add_into_wp_u_capability,$w3cookie_domain,$w3all_add_into_phpBB_after_confirm,$w3all_push_new_pass_into_phpbb;

  $username = trim($username);

  if ( strlen($username) > 50 ){
      return;
   }

  $user = is_email($username) ? get_user_by('email', $username) : get_user_by('login', $username);

  $wpu_db_utab = (is_multisite()) ? WPW3ALL_MAIN_DBPREFIX . 'users' : $wpdb->prefix . 'users';
  $wpu_db_umtab = (is_multisite()) ? WPW3ALL_MAIN_DBPREFIX . 'usermeta' : $wpdb->prefix . 'usermeta';

  $username = esc_sql($username);
  //$db_eu = is_email($username) ? 'users.user_email) = \''.mb_strtolower($username,'UTF-8').'\'' : 'users.username) = \''.mb_strtolower($username,'UTF-8').'\'';
  $db_eu = is_email($username) ? 'users.user_email) = \''.strtolower($username).'\'' : 'users.username) = \''.mb_strtolower($username,'UTF-8').'\'';

  $phpbb_user = $w3all_phpbb_connection->get_results("SELECT *
    FROM ". $w3all_config["table_prefix"] ."groups
    JOIN ". $w3all_config["table_prefix"] ."users ON LOWER(". $w3all_config["table_prefix"] . $db_eu ."
    AND ". $w3all_config["table_prefix"] ."users.group_id = ". $w3all_config["table_prefix"] ."groups.group_id");

///////////
// If a frontend plugin bypass default password reset process, and do not let update the new wp password at same time also into phpBB
// force the password update into phpBB onlogin in wordpress.

 if( $w3all_push_new_pass_into_phpbb == 1 ){

  if( isset($phpbb_user[0]->user_id) && $user->user_pass != $phpbb_user[0]->user_password && $phpbb_user[0]->user_id > 2 )
   {
     $new_pass_push = $phpbb_user[0]->user_password = $user->user_pass;
     $w3all_phpbb_connection->query("UPDATE ".$w3all_config["table_prefix"]."users SET user_password = '$new_pass_push' WHERE LOWER(user_email) = '".$user->user_email."'");
   }

  }

  if( !isset($phpbb_user[0]->user_id) OR $phpbb_user[0]->user_id < 3 ){ return; }

// mums allow only '[0-9A-Za-z]'
// default wp allow allow only [-0-9A-Za-z _.@]

  $contains_cyrillic = (bool) preg_match('/[\p{Cyrillic}]/u', $phpbb_user[0]->username);

  // if do not contain non latin chars, let wp create any wp user_login with this passed username
   if ( is_multisite() && !defined('WPW3ALL_USE_DEFAULT_WP_UCHARS') && preg_match('/[^0-9A-Za-z\p{Cyrillic}]/u',$phpbb_user[0]->username) OR $contains_cyrillic && preg_match('/[^-0-9A-Za-z _.@\p{Cyrillic}]/u',$phpbb_user[0]->username) OR strlen($phpbb_user[0]->username) > 50 )
   {
    // if ( is_multisite() && preg_match('/[^-0-9A-Za-z _.@\p{Cyrillic}]/u',$phpbb_user[0]->username) OR $contains_cyrillic && preg_match('/[^-0-9A-Za-z _.@\p{Cyrillic}]/u',$phpbb_user[0]->username) OR strlen($phpbb_user[0]->username) > 50 ){

    if (!defined('WPW3ALL_NOT_ULINKED')){
     define('WPW3ALL_NOT_ULINKED', true);
    }
     setcookie ("w3all_set_cmsg", "phpbb_uname_chars_error", 0, "/", $w3cookie_domain, false);
     echo __('<p style="padding:30px;background-color:#fff;color:#000;font-size:1.3em"><strong>Notice: your username contains illegal characters that are not allowed in this system. Please contact an administrator.</strong></p>', 'wp-w3all-phpbb-integration');
      return;
   }

  // activated in phpBB?
 if( $user && !empty($phpbb_user) && $phpbb_user[0]->user_type == 0 && empty($user->wp_capabilities) ){ // re-activate this 'No role' WP user
     $user_role_up = serialize(array($w3all_add_into_wp_u_capability => 1));
     $wpdb->query("UPDATE $wpu_db_umtab SET meta_value = '$user_role_up' WHERE user_id = '$user->ID' AND meta_key = 'wp_capabilities'");
  }

  // Banned or deactivated?
 if(!defined("W3BANCKEXEC") && !empty($phpbb_user)){
   if(self::w3_phpbb_ban($phpbb_user[0]->user_id, $phpbb_user[0]->username, $phpbb_user[0]->user_email) === true){
    setcookie ("w3all_set_cmsg", "phpbb_ban", 0, "/", $w3cookie_domain, false);
     self::w3all_wp_logout('wp_login_url'); // should be just a redirect, not a logout, since the user here isn't still logged!
   }
  }

 if ( !empty($phpbb_user) && $phpbb_user[0]->user_type == 1 ){
    setcookie ("w3all_set_cmsg", "phpbb_deactivated", 0, "/", $w3cookie_domain, false);
    self::w3all_wp_logout('wp_login_url');  // well, same as above ... should be just a redirect, not a logout, since the user here isn't still logged
    return;
  }
// END banned or deactivated


 if ( !is_multisite() && !empty($phpbb_user) ) {
  if( $user && $phpbb_user[0]->user_type == 1 && !empty($user->wp_capabilities) ){
   $user_email = strtolower($user_email);
   $w3all_phpbb_connection->query("UPDATE ".$w3all_config["table_prefix"]."users SET user_type = '0' WHERE LOWER(user_email) = '$user_email'");
  }
 }

 if ( ! username_exists( $phpbb_user[0]->username ) && ! email_exists( $phpbb_user[0]->user_email ) && $phpbb_user[0]->user_type != 1 && ! $user && !empty($phpbb_user) ) {

     if ( $phpbb_user[0]->group_name == 'ADMINISTRATORS' ){
          $role = 'administrator';
        } elseif ( $phpbb_user[0]->group_name == 'GLOBAL_MODERATORS' ){
          $role = 'editor';
        } else { // $role = 'subscriber'; // for all others phpBB Groups default to WP subscriber
                 $role = $w3all_add_into_wp_u_capability;
                }

   $userdata = array(
     'user_login' => $phpbb_user[0]->username,
     'user_pass' => $phpbb_user[0]->user_password,
     //'user_email' => $phpbb_user[0]->user_email,
     'user_registered' => date_i18n( 'Y-m-d H:i:s', $phpbb_user[0]->user_regdate ),
     'role' => $role
    );

    $w3all_oninsert_wp_user = 1;
    $user_id = wp_insert_user( $userdata );

   if ( is_wp_error( $user_id ) ) {
    echo '<div style="padding:10px 30px;background-color:#fff;color:#000;font-size:1.3em"><p>' . $user_id->get_error_message() . '</p></div>';
    echo __('<div><p style="padding:10px 30px;background-color:#fff;color:#000;font-size:1.0em"><strong>ERROR: try to reload page, but if the error persist may it mean that the forum\'s logged in username contains illegal characters OR your forum\'s account is not active. Please contact an administrator.</strong></p></div>', 'wp-w3all-phpbb-integration');
    exit;
   }

   if ( ! is_wp_error( $user_id ) ) {
     $phpbb_username = preg_replace( '/\s+/', ' ', $phpbb_user[0]->username );
     $phpbb_username = esc_sql($phpbb_username);
     $uemail = $phpbb_user[0]->user_email;
     $upass = $phpbb_user[0]->user_password;
     $user_username_clean = sanitize_user( $phpbb_user[0]->username, $strict = false );
     $user_username_clean = esc_sql(mb_strtolower($user_username_clean,'UTF-8'));

   // workaround for cyrillic chars: or an username like 'Denis I.' in cyrillic alphabet, will be inserted as a single dot for the user_login value
     if ( $contains_cyrillic ) {
      $wpdb->query("UPDATE $wpu_db_utab SET user_login = '".$phpbb_username."', user_pass = '".$upass."', user_nicename = '".$user_username_clean."', user_email = '".$uemail."', display_name = '".$phpbb_username."' WHERE ID = ".$user_id."");
      $wpdb->query("UPDATE $wpu_db_umtab SET meta_value = '".$phpbb_username."' WHERE user_id = '$user_id' AND meta_key = 'nickname'");
     } else { // leave as is (may cleaned and different) the just created user_login
            $wpdb->query("UPDATE $wpu_db_utab SET user_pass = '".$upass."', user_email = '".$uemail."', display_name = '".$phpbb_username."' WHERE ID = '$user_id'");
            $wpdb->query("UPDATE $wpu_db_umtab SET meta_value = '".$phpbb_username."' WHERE user_id = '$user_id' AND meta_key = 'nickname'");
          }
   }

   if( is_wp_error( $user_id ) ){
      // TODO: return error via cookie instead
      echo '<h3>Error: '.$user_id->get_error_message().'</h3>' . '<h4><a href="'.get_edit_user_link().'">Return back</a><h4>';
      exit;
   } else {

    //if($user){
      define("WPUSERCREATED",true);

       if ( is_multisite() ){
        if ( !function_exists( 'get_current_blog_id' ) ) {
         require_once ABSPATH . WPINC . '/load.php';
        }

        if ( !function_exists( 'add_user_to_blog' ) ) {
         require_once ABSPATH . WPINC . '/ms-functions.php';
        }

        $blogID = get_current_blog_id();

        // this way add only to the current visited blog
        // $role
        $result = add_user_to_blog($blogID, $user_id, $role);
       }

     // let login the user, if pass match
      if(isset($_POST['log']) && isset($_POST['pwd'])){
       wp_check_password(trim($_POST['pwd']), $upass, $user_id);
      }
     //}
    }
 }

 define('W3ALL_WPNU_CKU', true);

}
Now, what it happen is that when a phpBB user come to login into WP and is still not existent (and come as NOT logged in phpBB, so will be added on fly when logging in wp), if the password match, will be correctly logged in, a will not get the wrong password message, until a new login is not repeated (when the WP user object will contain the right data).

All the login flow for all scenarios will be now re-checked, but i think that with last 2.8.9 fixes and this one, all would work smooth into any.

Re: 2.9.0 logs

Posted: Tue Aug 20, 2024 4:46 am
by dilysmoore
Thanks for the fix.

Re: 2.9.0 logs

Posted: Tue Aug 20, 2024 9:24 am
by axew3
Yes but would be better to test it into any possible behavior, because at the time it has been written and intended as it was, may conflict with something else. Nothing problematic in any case, and nothing that can affect the security: but better to test it about any aspect and fix any possible wrong result about a non updated pass or email in some circumstance. Before the 2.9.0 release it will be tested with many main plugins.
If you are using already and you note any bug in the while, please report!

The complete 2.9.0 fix, into the wp_w3all.php file, provide the change of the wp_check_password like this:

Code: Select all

function wp_check_password($password, $hash, $user_id = '') {

// wp do not allow char \ on password
// phpBB allow \ char on password

   global $wpdb,$wp_hasher,$w3all_add_into_phpBB_after_confirm;
   $password = trim(str_replace(chr(0), '', $password));
   $check = false;
   $hash_x_wp = $hash;

# both fails on retrieve the updated phpBB password when on creating the wp user (then the pass is updated to the good phpBB one)
# ex: 'public static function w3_check_phpbb_profile_wpnu($username){'  fire when
# the phpBB user come to login in WP and then is automatically added and should be logged in on fly

   //$wpu = get_user_by( 'ID', $user_id ); // return the user obj instance of the created user, with hash of the phpBB pass hash
   //$wpu = new WP_User($user_id); // return the user obj instance of the created user, with hash of the phpBB pass hash

    # so going to use a direct query in place of get_user_by(), or the pass hash in this case will not match
    #if(empty($wpu)){
      $wpu_db_utab = (is_multisite()) ? WPW3ALL_MAIN_DBPREFIX . 'users' : $wpdb->prefix . 'users';
      $wpu = $wpdb->get_row("SELECT * FROM $wpu_db_utab WHERE ID = '".$user_id."'");
    #}
    if(empty($wpu)){
     $wpu = get_user_by( 'ID', $user_id ); // return the user obj instance of the created user, with hash of the phpBB pass hash, if it is a check after creation of the user
    }

    if( empty($wpu) OR empty($password) OR empty($hash) OR empty($user_id) ){
      return apply_filters( 'check_password', false, $password, $hash, $user_id );
    }

 if(!empty($wpu)){

   $is_phpbb_admin = ( $user_id == 1 ) ? 1 : 0; // switch for phpBB admin // 1 admin 0 all others
   $changed = WP_w3all_phpbb::check_phpbb_passw_match_on_wp_auth($wpu->user_email, $is_phpbb_admin, $wpu);
   if ( $changed !== false && $wpu->ID > 1 ){
      $hash = $changed;
    }

   // If the hash still old md5
    if ( $hash != null && strlen($hash) <= 32 ) {
        $check = hash_equals( $hash, md5( $password ) );
     }

 // Argon2i and Argon2id password hash
 if( $hash && substr($hash, 0, 8) == '$argon2i' ){
  $password = stripslashes(htmlspecialchars($password, ENT_COMPAT)); // " do not need to be converted
  $check = password_verify($password, $hash);
  $HArgon2i = true;
 }

 if ( !isset($check) OR $check !== true && !isset($HArgon2i) ){ // check the default Wp pass: md5 check failed or not fired above
   if ( empty($wp_hasher) ) {
    require_once( ABSPATH . WPINC . '/class-phpass.php');
    $wp_hasher = new PasswordHash(8, true); // 8 wp default
   }
    $check = $wp_hasher->CheckPassword($password, $hash_x_wp);
  }

 if ( $hash && $check !== true && strlen($hash) > 32 && !isset($HArgon2i)){ // Wp check failed, check phpBB pass that's may not Argon2i
    $password = stripslashes($password);
    $password = htmlspecialchars($password, ENT_COMPAT);
    $check = password_verify($password, $hash);
  }

     if ($check === true){

    # check that this user do not need to be added into phpBB, due to $w3all_add_into_phpBB_after_confirm

       if( $w3all_add_into_phpBB_after_confirm == 1 )
       {

      // this is for Ultimate Member plugin, but the logic can be the same for any other plugin
       if(defined( 'um_plugin' )){
          $umeta = get_user_meta($wpu->ID);
         if( isset($umeta['account_status'][0]) && $umeta['account_status'][0] != 'approved' ){
           return apply_filters( 'check_password', false, $password, $hash, $user_id );
          }
        }

      # the following can be added earlier into w3all_add_phpbb_user() function, to check for the hash and may autologin the user
        /*if( isset($_GET['hash']) && $_GET['hash'] != $umeta['account_secret_hash'][0] )
         {
           //create user in phpBB, login the user wp (that will setup the phpbb session also)
          }*/

        WP_w3all_phpbb::create_phpBB_user_res($wpu, 'add_u_phpbb_after_login');
       }

        WP_w3all_phpbb::phpBB_user_session_set_res($wpu);
      } else {
           $check = false;
        }
     return apply_filters( 'check_password', $check, $password, $hash, $user_id );
 } else {
      return apply_filters( 'check_password', false, $password, $hash, $user_id );
     }
}

endif;

Re: 2.9.0 logs

Posted: Sun Aug 25, 2024 9:43 am
by axew3
MOVED TO 2.9.1

ADD light verify credentials
soft_verify_phpbb_credentials()
light_verify_phpbb_credentials()
An useful option that allow to run the integration without checking for the phpBB user's session when the WP page load, once the user result to be logged into WordPress.
When the soft_verify_phpbb_credentials option is active, the user cannot be notified about eventual new personal PMs into phpBB.
There is no db call to phpBB for the logged in user, if the Avatars or Last posts options are also turned off.
Nor for guests.

Maybe better to call it light_verify_phpbb_credentials()
It seem more appropriate.

MOVED TO 2.9.1

Re: 2.9.0 logs

Posted: Sun Aug 25, 2024 9:44 am
by axew3
FIX: languages usernames
phpBB -> WP users

2.9.0 will be able to cover all characters languages, any username can be transferred/added from phpBB into wordpress can be transliterated, with easy. It has been prepared to the final switch but at moment will work only for the Cyrillic alphabet.

Any username that is not in 'Latin-ASCII', will be transliterated into Latin ASCII characters (and any language will be covered, if the running Php is configured with the availability of the transliterator_transliterate() Php native function).
If not available transliterator_transliterate() for the language to be translated, it is required to provide an easy helper that can convert the username into Latin chars then re-convert into the needed language (maybe Chinese or any other).
Usernames are passed then through:

Code: Select all

sanitize_user($username, true);
so all but these chars are removed:

Code: Select all

-0-9A-Za-z _.@
There will be no more difference between multisite or not, the user_login of the user will added using the pattern

Code: Select all

-0-9A-Za-z _.@

Re: 2.9.0 logs

Posted: Sun Aug 25, 2024 9:16 pm
by axew3
On 2.9.0
the follow into this post will result to be obsolete.
Further improvements and changes have been applied both to wp_check_password and the w3_check_phpbb_profile_wpnu functions

axew3 wrote: Tue Aug 20, 2024 9:24 am Yes but would be better to test it into any possible behavior, because at the time it has been written and intended as it was, may conflict with something else. Nothing problematic in any case, and nothing that can affect the security: but better to test it about any aspect and fix any possible wrong result about a non updated pass or email in some circumstance. Before the 2.9.0 release it will be tested with many main plugins.
If you are using already and you note any bug in the while, please report!

The complete 2.9.0 fix, into the wp_w3all.php file, provide the change of the wp_check_password like this:

Code: Select all

function wp_check_password($password, $hash, $user_id = '') {

// wp do not allow char \ on password
// phpBB allow \ char on password

   global $wpdb,$wp_hasher,$w3all_add_into_phpBB_after_confirm;
   $password = trim(str_replace(chr(0), '', $password));
   $check = false;
   $hash_x_wp = $hash;

# both fails on retrieve the updated phpBB password when on creating the wp user (then the pass is updated to the good phpBB one)
# ex: 'public static function w3_check_phpbb_profile_wpnu($username){'  fire when
# the phpBB user come to login in WP and then is automatically added and should be logged in on fly

   //$wpu = get_user_by( 'ID', $user_id ); // return the user obj instance of the created user, with hash of the phpBB pass hash
   //$wpu = new WP_User($user_id); // return the user obj instance of the created user, with hash of the phpBB pass hash

    # so going to use a direct query in place of get_user_by(), or the pass hash in this case will not match
    #if(empty($wpu)){
      $wpu_db_utab = (is_multisite()) ? WPW3ALL_MAIN_DBPREFIX . 'users' : $wpdb->prefix . 'users';
      $wpu = $wpdb->get_row("SELECT * FROM $wpu_db_utab WHERE ID = '".$user_id."'");
    #}
    if(empty($wpu)){
     $wpu = get_user_by( 'ID', $user_id ); // return the user obj instance of the created user, with hash of the phpBB pass hash, if it is a check after creation of the user
    }

    if( empty($wpu) OR empty($password) OR empty($hash) OR empty($user_id) ){
      return apply_filters( 'check_password', false, $password, $hash, $user_id );
    }

 if(!empty($wpu)){

   $is_phpbb_admin = ( $user_id == 1 ) ? 1 : 0; // switch for phpBB admin // 1 admin 0 all others
   $changed = WP_w3all_phpbb::check_phpbb_passw_match_on_wp_auth($wpu->user_email, $is_phpbb_admin, $wpu);
   if ( $changed !== false && $wpu->ID > 1 ){
      $hash = $changed;
    }

   // If the hash still old md5
    if ( $hash != null && strlen($hash) <= 32 ) {
        $check = hash_equals( $hash, md5( $password ) );
     }

 // Argon2i and Argon2id password hash
 if( $hash && substr($hash, 0, 8) == '$argon2i' ){
  $password = stripslashes(htmlspecialchars($password, ENT_COMPAT)); // " do not need to be converted
  $check = password_verify($password, $hash);
  $HArgon2i = true;
 }

 if ( !isset($check) OR $check !== true && !isset($HArgon2i) ){ // check the default Wp pass: md5 check failed or not fired above
   if ( empty($wp_hasher) ) {
    require_once( ABSPATH . WPINC . '/class-phpass.php');
    $wp_hasher = new PasswordHash(8, true); // 8 wp default
   }
    $check = $wp_hasher->CheckPassword($password, $hash_x_wp);
  }

 if ( $hash && $check !== true && strlen($hash) > 32 && !isset($HArgon2i)){ // Wp check failed, check phpBB pass that's may not Argon2i
    $password = stripslashes($password);
    $password = htmlspecialchars($password, ENT_COMPAT);
    $check = password_verify($password, $hash);
  }

     if ($check === true){

    # check that this user do not need to be added into phpBB, due to $w3all_add_into_phpBB_after_confirm

       if( $w3all_add_into_phpBB_after_confirm == 1 )
       {

      // this is for Ultimate Member plugin, but the logic can be the same for any other plugin
       if(defined( 'um_plugin' )){
          $umeta = get_user_meta($wpu->ID);
         if( isset($umeta['account_status'][0]) && $umeta['account_status'][0] != 'approved' ){
           return apply_filters( 'check_password', false, $password, $hash, $user_id );
          }
        }

      # the following can be added earlier into w3all_add_phpbb_user() function, to check for the hash and may autologin the user
        /*if( isset($_GET['hash']) && $_GET['hash'] != $umeta['account_secret_hash'][0] )
         {
           //create user in phpBB, login the user wp (that will setup the phpbb session also)
          }*/

        WP_w3all_phpbb::create_phpBB_user_res($wpu, 'add_u_phpbb_after_login');
       }

        WP_w3all_phpbb::phpBB_user_session_set_res($wpu);
      } else {
           $check = false;
        }
     return apply_filters( 'check_password', $check, $password, $hash, $user_id );
 } else {
      return apply_filters( 'check_password', false, $password, $hash, $user_id );
     }
}

endif;
UPDATED it will be instead:

Code: Select all

public static function w3_check_phpbb_profile_wpnu($username){ // email/user_login

 if( defined('W3ALL_WPNU_CKU') OR empty($username) ): return; endif;
  global $w3all_phpbb_connection,$w3all_config,$wpdb,$w3all_oninsert_wp_user,$w3all_add_into_wp_u_capability,$w3cookie_domain,$w3all_add_into_phpBB_after_confirm,$w3all_push_new_pass_into_phpbb;

  $username = trim($username);

  if ( strlen($username) > 50 ){
      return;
   }

  $user = is_email($username) ? get_user_by('email', $username) : get_user_by('login', $username);

  $wpu_db_utab = (is_multisite()) ? WPW3ALL_MAIN_DBPREFIX . 'users' : $wpdb->prefix . 'users';
  $wpu_db_umtab = (is_multisite()) ? WPW3ALL_MAIN_DBPREFIX . 'usermeta' : $wpdb->prefix . 'usermeta';

  $username = esc_sql($username);
  //$db_eu = is_email($username) ? 'users.user_email) = \''.mb_strtolower($username,'UTF-8').'\'' : 'users.username) = \''.mb_strtolower($username,'UTF-8').'\'';
  $db_eu = is_email($username) ? 'users.user_email) = \''.strtolower($username).'\'' : 'users.username) = \''.mb_strtolower($username,'UTF-8').'\'';

  $phpbb_user = $w3all_phpbb_connection->get_results("SELECT *
    FROM ". $w3all_config["table_prefix"] ."groups
    JOIN ". $w3all_config["table_prefix"] ."users ON LOWER(". $w3all_config["table_prefix"] . $db_eu ."
    AND ". $w3all_config["table_prefix"] ."users.group_id = ". $w3all_config["table_prefix"] ."groups.group_id");

///////////
// If a frontend plugin bypass default password reset process, and do not let update the new wp password at same time also into phpBB
// force the password update into phpBB onlogin in wordpress.

 if( $w3all_push_new_pass_into_phpbb == 1 ){

  if( isset($phpbb_user[0]->user_id) && $user->user_pass != $phpbb_user[0]->user_password && $phpbb_user[0]->user_id > 2 )
   {
     $new_pass_push = $phpbb_user[0]->user_password = $user->user_pass;
     $w3all_phpbb_connection->query("UPDATE ".$w3all_config["table_prefix"]."users SET user_password = '$new_pass_push' WHERE LOWER(user_email) = '".$user->user_email."'");
   }

  }

  if( !isset($phpbb_user[0]->user_id) OR $phpbb_user[0]->user_id < 3 ){ return; }

// mums allow only '[0-9A-Za-z]'
// default wp allow allow only [-0-9A-Za-z _.@]

  $contains_cyrillic = (bool) preg_match('/[\p{Cyrillic}]/u', $phpbb_user[0]->username);

  // if do not contain non latin chars, let wp create any wp user_login with this passed username
   if ( is_multisite() && !defined('WPW3ALL_USE_DEFAULT_WP_UCHARS') && preg_match('/[^0-9A-Za-z\p{Cyrillic}]/u',$phpbb_user[0]->username) OR $contains_cyrillic && preg_match('/[^-0-9A-Za-z _.@\p{Cyrillic}]/u',$phpbb_user[0]->username) OR strlen($phpbb_user[0]->username) > 50 )
   {
    // if ( is_multisite() && preg_match('/[^-0-9A-Za-z _.@\p{Cyrillic}]/u',$phpbb_user[0]->username) OR $contains_cyrillic && preg_match('/[^-0-9A-Za-z _.@\p{Cyrillic}]/u',$phpbb_user[0]->username) OR strlen($phpbb_user[0]->username) > 50 ){

    if (!defined('WPW3ALL_NOT_ULINKED')){
     define('WPW3ALL_NOT_ULINKED', true);
    }
     setcookie ("w3all_set_cmsg", "phpbb_uname_chars_error", 0, "/", $w3cookie_domain, false);
     echo __('<p style="padding:30px;background-color:#fff;color:#000;font-size:1.3em"><strong>Notice: your username contains illegal characters that are not allowed in this system. Please contact an administrator.</strong></p>', 'wp-w3all-phpbb-integration');
      return;
   }

  // activated in phpBB?
 if( $user && !empty($phpbb_user) && $phpbb_user[0]->user_type == 0 && empty($user->wp_capabilities) ){ // re-activate this 'No role' WP user
     $user_role_up = serialize(array($w3all_add_into_wp_u_capability => 1));
     $wpdb->query("UPDATE $wpu_db_umtab SET meta_value = '$user_role_up' WHERE user_id = '$user->ID' AND meta_key = 'wp_capabilities'");
  }

  // Banned or deactivated?
 if(!defined("W3BANCKEXEC") && !empty($phpbb_user)){
   if(self::w3_phpbb_ban($phpbb_user[0]->user_id, $phpbb_user[0]->username, $phpbb_user[0]->user_email) === true){
    setcookie ("w3all_set_cmsg", "phpbb_ban", 0, "/", $w3cookie_domain, false);
     self::w3all_wp_logout('wp_login_url'); // should be just a redirect, not a logout, since the user here isn't still logged!
   }
  }

 if ( !empty($phpbb_user) && $phpbb_user[0]->user_type == 1 ){
    setcookie ("w3all_set_cmsg", "phpbb_deactivated", 0, "/", $w3cookie_domain, false);
    self::w3all_wp_logout('wp_login_url');  // well, same as above ... should be just a redirect, not a logout, since the user here isn't still logged
    return;
  }
// END banned or deactivated


 if ( !is_multisite() && !empty($phpbb_user) ) {
  if( $user && $phpbb_user[0]->user_type == 1 && !empty($user->wp_capabilities) ){
   $user_email = strtolower($user_email);
   $w3all_phpbb_connection->query("UPDATE ".$w3all_config["table_prefix"]."users SET user_type = '0' WHERE LOWER(user_email) = '$user_email'");
  }
 }

 if ( ! username_exists( $phpbb_user[0]->username ) && ! email_exists( $phpbb_user[0]->user_email ) && $phpbb_user[0]->user_type != 1 && ! $user && !empty($phpbb_user) ) {

     if ( $phpbb_user[0]->group_name == 'ADMINISTRATORS' ){
          $role = 'administrator';
        } elseif ( $phpbb_user[0]->group_name == 'GLOBAL_MODERATORS' ){
          $role = 'editor';
        } else { // $role = 'subscriber'; // for all others phpBB Groups default to WP subscriber
                 $role = $w3all_add_into_wp_u_capability;
                }

   $userdata = array(
     'user_login' => $phpbb_user[0]->username,
     'user_pass' => $phpbb_user[0]->user_password,
     //'user_email' => $phpbb_user[0]->user_email,
     'user_registered' => date_i18n( 'Y-m-d H:i:s', $phpbb_user[0]->user_regdate ),
     'role' => $role
    );

    $w3all_oninsert_wp_user = 1;
    $user_id = wp_insert_user( $userdata );

   if ( is_wp_error( $user_id ) ) {
    echo '<div style="padding:10px 30px;background-color:#fff;color:#000;font-size:1.3em"><p>' . $user_id->get_error_message() . '</p></div>';
    echo __('<div><p style="padding:10px 30px;background-color:#fff;color:#000;font-size:1.0em"><strong>ERROR: try to reload page, but if the error persist may it mean that the forum\'s logged in username contains illegal characters OR your forum\'s account is not active. Please contact an administrator.</strong></p></div>', 'wp-w3all-phpbb-integration');
    exit;
   }

   if ( ! is_wp_error( $user_id ) ) {
     $phpbb_username = preg_replace( '/\s+/', ' ', $phpbb_user[0]->username );
     $phpbb_username = esc_sql($phpbb_username);
     $uemail = $phpbb_user[0]->user_email;
     $upass = $phpbb_user[0]->user_password;
     $user_username_clean = sanitize_user( $phpbb_user[0]->username, $strict = false );
     $user_username_clean = esc_sql(mb_strtolower($user_username_clean,'UTF-8'));

   // workaround for cyrillic chars: or an username like 'Denis I.' in cyrillic alphabet, will be inserted as a single dot for the user_login value
     if ( $contains_cyrillic ) {
      $wpdb->query("UPDATE $wpu_db_utab SET user_login = '".$phpbb_username."', user_pass = '".$upass."', user_nicename = '".$user_username_clean."', user_email = '".$uemail."', display_name = '".$phpbb_username."' WHERE ID = ".$user_id."");
      $wpdb->query("UPDATE $wpu_db_umtab SET meta_value = '".$phpbb_username."' WHERE user_id = '$user_id' AND meta_key = 'nickname'");
     } else { // leave as is (may cleaned and different) the just created user_login
            $wpdb->query("UPDATE $wpu_db_utab SET user_pass = '".$upass."', user_email = '".$uemail."', display_name = '".$phpbb_username."' WHERE ID = '$user_id'");
            $wpdb->query("UPDATE $wpu_db_umtab SET meta_value = '".$phpbb_username."' WHERE user_id = '$user_id' AND meta_key = 'nickname'");
          }
   }

   if( is_wp_error( $user_id ) ){
      // TODO: return error via cookie instead
      echo '<h3>Error: '.$user_id->get_error_message().'</h3>' . '<h4><a href="'.get_edit_user_link().'">Return back</a><h4>';
      exit;
   } else {

    if($w3all_oninsert_wp_user == 1)
    {
      define("WPUSERCREATED",true);

       if ( is_multisite() ){
        if ( !function_exists( 'get_current_blog_id' ) ) {
         require_once ABSPATH . WPINC . '/load.php';
        }

        if ( !function_exists( 'add_user_to_blog' ) ) {
         require_once ABSPATH . WPINC . '/ms-functions.php';
        }

        $blogID = get_current_blog_id();

        // this way add only to the current visited blog
        // $role
        $result = add_user_to_blog($blogID, $user_id, $role);
       }

     // let login the user, if pass match
      if(isset($_POST['log']) && isset($_POST['pwd'])){
       wp_check_password(trim($_POST['pwd']), $upass, $user_id);
      }
     }
    }
 }

 define('W3ALL_WPNU_CKU', true);

}
But still in this version, as it is here into this post, it do not implement the all languages usernames fix
viewtopic.php?p=6648#p6648
(when a new phpBB user is inserted and the username is in NON LATIN chars. This function will be fixed also under this aspect on 2.9.0)