diff --git a/wp-includes/user.php b/wp-includes/user.php
index 9f554f7d2..c7e9e586e 100644
--- a/wp-includes/user.php
+++ b/wp-includes/user.php
@@ -81,7 +81,7 @@ function get_usermeta( $user_id, $meta_key = '') {
 	$user_id = (int) $user_id;
 
 	if ( !empty($meta_key) ) {
-		$meta_key = preg_replace('|a-z0-9_|i', '', $meta_key);
+		$meta_key = preg_replace('|[^a-z0-9_]|i', '', $meta_key);
 		$metas = $wpdb->get_results("SELECT meta_key, meta_value FROM $wpdb->usermeta WHERE user_id = '$user_id' AND meta_key = '$meta_key'");
 	} else {
 		$metas = $wpdb->get_results("SELECT meta_key, meta_value FROM $wpdb->usermeta WHERE user_id = '$user_id'");
diff --git a/wp-login.php b/wp-login.php
index 265846ca7..c1029028e 100644
--- a/wp-login.php
+++ b/wp-login.php
@@ -165,7 +165,7 @@ break;
 
 case 'resetpass' :
 case 'rp' :
-	$key = preg_replace('/a-z0-9/i', '', $_GET['key']);
+	$key = preg_replace('/[^a-z0-9]/i', '', $_GET['key']);
 	if ( empty( $key ) ) {
 		wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
 		exit();