| From: | Alvaro Herrera <alvherre(at)surnet(dot)cl> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Marko Kreen <marko(at)l-t(dot)ee>, Michael Fuhr <mike(at)fuhr(dot)org>, Russell Smith <mr-russ(at)pws(dot)com(dot)au>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: contrib/pgcrypto functions not IMMUTABLE? |
| Date: | 2005-07-03 17:19:24 |
| Message-ID: | 20050703171924.GA15874@surnet.cl |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Sun, Jul 03, 2005 at 12:57:54PM -0400, Tom Lane wrote:
> Marko Kreen <marko(at)l-t(dot)ee> writes:
> > As for the crypt() case, lets say you have a new user with
> > hashed password field NULL. In addition, you have client
> > program that compares crypt() result with hashed field
> > itself, in addition it handles NULL's as empty string.
> > Result: it is possible to login with any password.
> > Lots of assumptions but in eg. PHP case they are all filled.
>
> A NULL password field is intended to have exactly that effect, no?
Not necessarily -- it may mean the user was just created, or it was
"deactivated" by setting the password to NULL. Yes, this last thing is
foolish, but people do it anyway ...
--
Alvaro Herrera (<alvherre[a]surnet.cl>)
"The only difference is that Saddam would kill you on private, where the
Americans will kill you in public" (Mohammad Saleh, 39, a building contractor)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2005-07-03 17:26:41 | Re: contrib/pgcrypto functions not IMMUTABLE? |
| Previous Message | Marko Kreen | 2005-07-03 17:15:07 | Re: contrib/pgcrypto functions not IMMUTABLE? |