Re: Password Encryption to replicate MySQL PASSWORD function

From: "Adrian Tineo" <adriantineo(at)softhome(dot)net>
To: "Luke Woollard" <luke(at)taborvision(dot)com>, "Matthew Horoschun" <mhoroschun(at)canprint(dot)com(dot)au>
Cc: pgsql-php(at)postgresql(dot)org
Subject: Re: Password Encryption to replicate MySQL PASSWORD function
Date: 2003-01-22 14:54:38
Message-ID: 007101c2c226$391ddf40$f8ddd8d9@supercable.es
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-php

>We decided that the
> safest method was to create real users in the PostgreSQL system user
> table, and then let Postgres worry about authenticating users. Then,
> even if your PHP code is flawed, the SQL commands still execute with
> only the users permissions.

I thought that way too but now I think it is better to create users and do
the encrypting in the application layer and store logins and passwords in
regular tables. The reason is that if, by any means, someone enters the
database as user postgres or any other with total priviledges then you can
see in the pg_shadow table the paswords in clear, this is a bigger risk than
having your passwords encrypted in PHP and store them as encrypted TEXT in
any table.

Besides if you move from one postgresql server to another you have to worry
a lot about how postgresql is configured (permissions and such). If you put
it all in the application and regular tables you can go to any typical
postgresql installation and install the database and application quickly and
safely.

At least that's what I think.

Adrian Tineo

In response to

Browse pgsql-php by date

  From Date Subject
Next Message Jesus Rios 2003-01-22 18:59:15 Date type: DATE
Previous Message Francesco Piccinini 2003-01-22 14:48:57 psql client