diff -ubBr change_sqlpass.ori//config.php.sample /usr/share/squirrelmail/plugins/change_sqlpass//config.php.sample
--- change_sqlpass.ori//config.php.sample	2005-11-12 06:04:34.000000000 +0000
+++ /usr/share/squirrelmail/plugins/change_sqlpass//config.php.sample	2011-05-19 22:07:18.000000000 +0000
@@ -21,7 +21,7 @@
           $csp_non_standard_http_port, $csp_delimiter, $csp_debug,
           $min_password_length, $max_password_length, $include_digit_in_password,
           $include_uppercase_letter_in_password, $include_lowercase_letter_in_password,
-          $include_nonalphanumeric_in_password;
+          $include_nonalphanumeric_in_password, $reject_passwords_with_non_ascii_characters;
 
 
 
@@ -71,8 +71,8 @@
    //      except %4 will have double quotes around it and %5 will not.
    //
    //$lookup_password_query = '';
-   // TERRIBLE SECURITY: $lookup_password_query = 'SELECT count(*) FROM users WHERE username = "%1" AND plain_password = "%5"';
-   $lookup_password_query = 'SELECT count(*) FROM users WHERE username = "%1" AND crypt_password = %4';
+   // TERRIBLE SECURITY: $lookup_password_query = "SELECT count(*) FROM users WHERE username = '%1' AND plain_password = '%5'";
+   $lookup_password_query = "SELECT count(*) FROM users WHERE username = '%1' AND crypt_password = %4";
 
 
 
@@ -103,9 +103,9 @@
    //      and %5 will not.
    //
    $password_update_queries = array(
-            'UPDATE users SET crypt_password = %4 WHERE username = "%1"',
-//            'UPDATE user_flags SET force_change_pwd = 0 WHERE username = "%1"',
-//            'UPDATE users SET crypt_password = %4, force_change_pwd = 0 WHERE username = "%1"',
+            "UPDATE users SET crypt_password = %4 WHERE username = '%1'",
+//            "UPDATE user_flags SET force_change_pwd = 0 WHERE username = '%1'",
+//            "UPDATE users SET crypt_password = %4, force_change_pwd = 0 WHERE username = '%1'",
                                    );
 
 
@@ -128,9 +128,9 @@
    //   %3 in this query will be replaced with the domain name, 
    //      such as "example.com"
    //
-   //$force_change_password_check_query = 'SELECT IF(force_change_pwd = "yes", 1, 0) FROM users WHERE username = "%1"';
-   //$force_change_password_check_query = 'SELECT force_change_pwd FROM users WHERE username = "%1"';
-   $force_change_password_check_query = '';
+   //$force_change_password_check_query = "SELECT IF(force_change_pwd = "yes", 1, 0) FROM users WHERE username = '%1'";
+   //$force_change_password_check_query = "SELECT force_change_pwd FROM users WHERE username = '%1'";
+   $force_change_password_check_query = "";
 
 
 
@@ -178,8 +178,9 @@
    //$csp_salt_static = '$2$blowsomefish$';  // use this format with PHPCRYPT
    $csp_salt_static = '';
 
-   //$csp_salt_query = 'SELECT SUBSTRING_INDEX(crypt_password, '$', 1) FROM users WHERE username = "%1"';
-   //$csp_salt_query = 'SELECT SUBSTRING(crypt_password, (LENGTH(SUBSTRING_INDEX(crypt_password, '$', 2)) + 2)) FROM users WHERE username = "%1"';
+   //$csp_salt_query = "SELECT SUBSTRING_INDEX(crypt_password, '$', 1) FROM users WHERE username = '%1'";
+   //$csp_salt_query = "SELECT SUBSTRING(crypt_password, -2) FROM users WHERE username = '%1'";
+   //$csp_salt_query = "SELECT SUBSTRING(crypt_password, (LENGTH(SUBSTRING_INDEX(crypt_password, '$', 2)) + 2)) FROM users WHERE username = '%1'";
    $csp_salt_query = 'SELECT salt FROM users WHERE username = "%1"';
    //$csp_salt_query = '';
 
@@ -242,6 +243,15 @@
 
 
 
+   // This setting will reject passwords using
+   // non ASCII characters. Depending on the
+   // locale used, a non ASCII password
+   // might prevent user login.
+
+   $reject_passwords_with_non_ascii_characters = 1;
+
+
+
    // csp_delimiter
    //
    // if your system has usernames with something other than
diff -ubBr change_sqlpass.ori//functions.php /usr/share/squirrelmail/plugins/change_sqlpass//functions.php
--- change_sqlpass.ori//functions.php	2005-11-12 06:48:24.000000000 +0000
+++ /usr/share/squirrelmail/plugins/change_sqlpass//functions.php	2011-05-19 22:10:56.000000000 +0000
@@ -646,33 +646,37 @@
 
    $salt = get_password_salt();
 
+   // get database connection
+   //
+   $db = csp_get_database_connection();
+
    switch (strtolower($password_encryption))
    {
 
       case strtolower(PASSWORD_ENCRYPTION_MYSQL_PASSWORD):
-         return 'password("' . $password . '")';
+         return "password('" . $db->escapeSimple( $password ) . "')";
 
       case strtolower(PASSWORD_ENCRYPTION_MYSQL_ENCRYPT):
          if (empty($salt))
-            return 'encrypt("' . $password . '")';
+            return "encrypt('" . $db->escapeSimple( $password ) . "')";
          else
-            return 'encrypt("' . $password . '", ' . $salt . ')';
+            return "encrypt('" . $db->escapeSimple( $password ) . "', " . $db->escapeSimple( $salt ) . ")";
 
       case strtolower(PASSWORD_ENCRYPTION_PHPCRYPT):
          if (empty($salt))
-            return '"' . crypt($password) . '"';
+            return "'" . crypt($password) . "'";
          else
-            return '"' . crypt($password, $salt) . '"';
+            return "'" . crypt($password, $salt) . "'";
 
       case strtolower(PASSWORD_ENCRYPTION_MD5CRYPT):
-         return '"' . md5crypt($password, $salt) . '"';
+         return "'" . md5crypt($password, $salt) . "'";
 
       case strtolower(PASSWORD_ENCRYPTION_MD5):
-         return '"' . md5($password) . '"';
+         return "'" . md5($password) . "'";
 
       case strtolower(PASSWORD_ENCRYPTION_NONE):
       default:
-         return '"' . $password . '"';
+         return "'" . $password . "'";
 
    }
 
@@ -694,7 +698,7 @@
    global $lookup_password_query, $csp_debug, $min_password_length, 
           $max_password_length, $include_digit_in_password,
           $include_uppercase_letter_in_password, $include_lowercase_letter_in_password,
-          $include_nonalphanumeric_in_password;
+          $include_nonalphanumeric_in_password, $reject_passwords_with_non_ascii_characters;
 
    load_config('change_sqlpass', array('config.php'));
 
@@ -733,7 +737,7 @@
 
 
       list($full_username, $user, $dom) = csp_parse_username();
-      $encrypted_pwd = get_password_encrypt_string($db->escapeSimple($cp_oldpass));
+      $encrypted_pwd = get_password_encrypt_string($cp_oldpass);
 
 
       $sql = $lookup_password_query;
@@ -794,6 +798,9 @@
    if ($include_nonalphanumeric_in_password && !preg_match('/[^a-zA-Z0-9]+/', $cp_newpass))
       array_push($messages, _("Please include at least one non-alphanumeric character (such as @, - or _) in your new password"));
 
+   if ($reject_passwords_with_non_ascii_characters && !preg_match('/^[\040-\176]+$/', $cp_newpass))
+      array_push($messages, _("Please do not use non ASCII characters in your new password"));
+
    if (empty($cp_verify))
       array_push($messages,
          _("You must also type in your new password in the verify box"));
@@ -837,7 +844,7 @@
 
 
    list($full_username, $user, $dom) = csp_parse_username();
-   $encrypted_pwd = get_password_encrypt_string($db->escapeSimple($password));
+   $encrypted_pwd = get_password_encrypt_string($password);
 
 
    // do all queries