Re: contrib/pgcrypto functions not IMMUTABLE? - Mailing list pgsql-hackers

From Alvaro Herrera
Subject Re: contrib/pgcrypto functions not IMMUTABLE?
Date
Msg-id 20050703171924.GA15874@surnet.cl
Whole thread Raw
In response to Re: contrib/pgcrypto functions not IMMUTABLE?  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: contrib/pgcrypto functions not IMMUTABLE?
List pgsql-hackers
On Sun, Jul 03, 2005 at 12:57:54PM -0400, Tom Lane wrote:
> Marko Kreen <marko@l-t.ee> writes:

> > As for the crypt() case, lets say you have a new user with
> > hashed password field NULL.  In addition, you have client
> > program that compares crypt() result with hashed field
> > itself, in addition it handles NULL's as empty string.
> > Result: it is possible to login with any password.
> > Lots of assumptions but in eg. PHP case they are all filled.
> 
> A NULL password field is intended to have exactly that effect, no?

Not necessarily -- it may mean the user was just created, or it was
"deactivated" by setting the password to NULL.  Yes, this last thing is
foolish, but people do it anyway ...

-- 
Alvaro Herrera (<alvherre[a]surnet.cl>)
"The only difference is that Saddam would kill you on private, where the
Americans will kill you in public" (Mohammad Saleh, 39, a building contractor)


pgsql-hackers by date:

Previous
From: Marko Kreen
Date:
Subject: Re: contrib/pgcrypto functions not IMMUTABLE?
Next
From: Tom Lane
Date:
Subject: Re: contrib/pgcrypto functions not IMMUTABLE?