--- authmysqllib.original.c	Thu Aug  2 00:23:01 2001
+++ authmysqllib.c	Sun Sep 30 17:33:30 2001
@@ -188,15 +188,44 @@
 
 static struct authmysqluserinfo ui={0, 0, 0, 0, 0, 0, 0};
 
-static void append_username(char *p, const char *username,
+static int append_username(char *p, const char *username,
 			    const char *defdomain)
 {
-	for (strcpy(p, username); *p; p++)
-		if (*p == '"' || *p == '\\' ||
-		    (int)(unsigned char)*p < ' ')
-			*p=' ';	/* No funny business */
-	if (strchr(username, '@') == 0 && defdomain && *defdomain)
-		strcat(strcpy(p, "@"), defdomain);
+const unsigned char *pu;
+int has_at_sign = strchr(username, '@') != 0;
+
+	for (pu = username; ; ++pu, ++p) {
+		unsigned ch = *pu;
+		switch (ch) {
+#if !defined(USERNAMES_MAY_CONTAIN_PERCENT_SIGN)
+			case '%':
+				if (!has_at_sign) {
+					ch = '@';
+					has_at_sign = 1;
+				}
+				break;
+#endif /* !defined(USERNAMES_MAY_CONTAIN_PERCENT_SIGN) */
+			case 0:
+				break;
+			default:
+				if (ch >= (unsigned)' ')
+					break;
+				/* otherwise continue: no funny business */
+			case '"':
+			case '\\':
+				ch = ' ';
+				break;
+		}
+		if ((*p = ch) == 0)
+			break;
+	}
+	if (!has_at_sign && defdomain && *defdomain) {
+		*p = '@';
+		strcpy(p + 1, defdomain);
+		has_at_sign = 1;
+	}
+	
+	return has_at_sign;
 }
 
 struct authmysqluserinfo *auth_mysql_getuserinfo(const char *username)
@@ -206,13 +235,13 @@
 char	*querybuf, *p;
 MYSQL_ROW	row;
 MYSQL_RES	*result;
-
+int	has_at_sign;
 const char *crypt_field, *clear_field, *maildir_field, *home_field,
-	*name_field,
+	*name_field, *alt_login_field,
 	*login_field, *uid_field, *gid_field, *quota_field, *where_clause;
 
 static const char query[]=
-	"SELECT %s, %s, %s, %s, %s, %s, %s, %s, %s FROM %s WHERE %s = \"";
+	"SELECT %s, %s, %s, %s, %s, %s, %s, %s, %s FROM %s WHERE \"";
 
 	if (do_connect())	return (0);
 
@@ -266,6 +295,9 @@
 	login_field = read_env("MYSQL_LOGIN_FIELD");
 	if (!login_field) login_field = "id";
 
+	alt_login_field = read_env("MYSQL_ALT_LOGIN_FIELD");
+	/* if (!alt_login_field) leave it so */
+
 	home_field = read_env("MYSQL_HOME_FIELD");
 	if (!home_field) home_field = "home";
 
@@ -296,8 +328,9 @@
 		name_field, user_table, login_field);
 	p=querybuf+strlen(querybuf);
 
-	append_username(p, username, defdomain);
-	strcat(p, "\"");
+	has_at_sign = append_username(p, username, defdomain);
+	strcat(p, "\" = ");
+	strcat(p, has_at_sign || !alt_login_field ? login_field : alt_login_field);
 	
 	if (strcmp(where_clause, "")) {
 		strcat(p, " AND (");
@@ -371,8 +404,8 @@
 
 int auth_mysql_setpass(const char *user, const char *pass)
 {
-	char *newpass_crypt;
-	const char *newpass_crypt_ptr;
+	char *newpass_crypt = 0;
+	const char *newpass_crypt_ptr = 0;
 	const char *p;
 	int l;
 	char *sql_buf;
@@ -385,20 +418,26 @@
 	const char *where_clause;
 	const char *user_table;
 	const char *login_field;
+	const char *alt_login_field;
 
 	if (!mysql)
 		return (-1);
 
 
-	if (!(newpass_crypt=authcryptpasswd(pass, "{crypt}")))
-		return (-1);
-
-	if (!(newpass_crypt_ptr=strchr(newpass_crypt, '}')))
+	crypt_field=read_env("MYSQL_CRYPT_PWFIELD");
+	if (crypt_field != 0)
 	{
-		free(newpass_crypt);	/* WTF???? */
-		return (-1);
+		if (!(newpass_crypt=authcryptpasswd(pass, "{crypt}")))
+			return (-1);
+	
+		if (!(newpass_crypt_ptr=strchr(newpass_crypt, '}')))
+		{
+			free(newpass_crypt);	/* WTF???? */
+			return (-1);
+		}
+		++newpass_crypt_ptr;
+	
 	}
-	++newpass_crypt_ptr;
 
 	for (l=0, p=pass; *p; p++)
 	{
@@ -414,7 +453,7 @@
 
 	login_field = read_env("MYSQL_LOGIN_FIELD");
 	if (!login_field) login_field = "id";
-	crypt_field=read_env("MYSQL_CRYPT_PWFIELD");
+	alt_login_field = read_env("MYSQL_ALT_LOGIN_FIELD");
 	clear_field=read_env("MYSQL_CLEAR_PWFIELD");
 	defdomain=read_env("DEFAULT_DOMAIN");
 	where_clause=read_env("MYSQL_WHERE_CLAUSE");
@@ -423,7 +462,7 @@
 	sql_buf=malloc(strlen(crypt_field ? crypt_field:"")
 		       + strlen(clear_field ? clear_field:"")
 		       + strlen(defdomain ? defdomain:"")
-		       + strlen(login_field) + l + strlen(newpass_crypt)
+		       + strlen(login_field) + l + strlen(newpass_crypt ? newpass_crypt:"")
 		       + strlen(user_table)
 		       + strlen(where_clause ? where_clause:"")
 		       + 200);
@@ -467,13 +506,13 @@
 	}
 	free(newpass_crypt);
 
-	strcat(strcat(strcat(sql_buf, " WHERE "),
-		      login_field),
-	       "=\"");
+	strcat(strcat(sql_buf, " WHERE "),
+	       "\"");
 
-	append_username(sql_buf+strlen(sql_buf), user, defdomain);
+	l = append_username(sql_buf+strlen(sql_buf), user, defdomain);
 
-	strcat(sql_buf, "\"");
+	strcat(sql_buf, "\" = ");
+	strcat(sql_buf, l || !alt_login_field ? login_field : alt_login_field);
 
 	if (where_clause && *where_clause)
 	{