Re: Password Encryption to replicate MySQL PASSWORD function

From: Matthew Horoschun <mhoroschun(at)canprint(dot)com(dot)au>
To: "Luke Woollard" <luke(at)taborvision(dot)com>
Cc: <pgsql-php(at)postgresql(dot)org>, Farran Rebbeck <frebbeck(at)canprint(dot)com(dot)au>
Subject: Re: Password Encryption to replicate MySQL PASSWORD function
Date: 2003-01-22 03:48:36
Message-ID: 62B5FF86-2DBC-11D7-BB6D-000393B3A702@canprint.com.au
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-php

Hi Luke,

I've just been playing with this myself (as you've seen). I'm no
expert... so maybe somebody else can jump in if what I say is incorrect.

On Wednesday, January 22, 2003, at 02:00 PM, Luke Woollard wrote:

> How is this easiily achieved in Postgresql? (as there is no 'PASSWORD'
> function)

As far as I know there aren't any similar functions available in
PostgreSQL. Additionally, I don't see anything wrong with sticking that
logic on the application-side rather than in the database.

Of course, if you do your access-control on the application side, then
you're vulnerable to faults in your PHP code potentially causing
complete database compromise.

> Is there any way to replicate this with PostgreSQL or a better way to
> authenticate users with both databases (md5 or similar) ????

One of the reasons we've moved from MySQL to PostgreSQL was to provide
more stringent security by using views and schemas. We decided that the
safest method was to create real users in the PostgreSQL system user
table, and then let Postgres worry about authenticating users. Then,
even if your PHP code is flawed, the SQL commands still execute with
only the users permissions.

This doesn't solve your original problem though. You still end up
needing to do the md5 hashing in the application layer. I'm curious to
know why you're opposed to this?

I'm keen to hear other peoples views on the cleanest way to
authenticate users...

Cheers

Matthew.

--
Matthew Horoschun
Network Administrator
CanPrint Communications Pty. Ltd.

Mobile: 0417 282 378
Direct: (02) 6295 4544
Telephone: (02) 6295 4422
Facsimile: (02) 6295 4473

In response to

Responses

Browse pgsql-php by date

  From Date Subject
Next Message Joe Conway 2003-01-22 04:14:29 Re: Password Encryption to replicate MySQL PASSWORD function
Previous Message Luke Woollard 2003-01-22 03:00:04 Password Encryption to replicate MySQL PASSWORD function