Re: Password Encryption to replicate MySQL PASSWORD function - Mailing list pgsql-php

From Luke Woollard
Subject Re: Password Encryption to replicate MySQL PASSWORD function
Date
Msg-id NGBBIAJCILLOIJPKMOIFAECHCMAA.luke@taborvision.com
Whole thread Raw
In response to Re: Password Encryption to replicate MySQL PASSWORD function  (Matthew Horoschun <mhoroschun@canprint.com.au>)
List pgsql-php
Hi Matthew + List,

CAPS BELOW..



-----Original Message-----
From: Matthew Horoschun [mailto:mhoroschun@canprint.com.au]
Sent: Wednesday, 22 January 2003 2:49 PM
To: Luke Woollard
Cc: pgsql-php@postgresql.org; Farran Rebbeck
Subject: Re: [PHP] Password Encryption to replicate MySQL PASSWORD
function


Hi Luke,

I've just been playing with this myself (as you've seen). I'm no
expert...
ME EITHER.

so maybe somebody else can jump in if what I say is incorrect.
DITTO.

On Wednesday, January 22, 2003, at 02:00  PM, Luke Woollard wrote:

> How is this easiily achieved in Postgresql? (as there is no 'PASSWORD'
> function)

As far as I know there aren't any similar functions available in
PostgreSQL. I HAVEN'T FOUND ANY EITHER.

Additionally, I don't see anything wrong with sticking that
logic on the application-side rather than in the database.
FAIR ENOUGH.


Of course, if you do your access-control on the application side, then
you're vulnerable to faults in your PHP code potentially causing
complete database compromise. YEP




> Is there any way to replicate this with PostgreSQL or a better way to
> authenticate users with both databases (md5 or similar) ????

One of the reasons we've moved from MySQL to PostgreSQL was to provide
more stringent security by using views and schemas. We decided that the
safest method was to create real users in the PostgreSQL system user
table, and then let Postgres worry about authenticating users. Then,
even if your PHP code is flawed, the SQL commands still execute with
only the users permissions.
INTERESTING

This doesn't solve your original problem though. You still end up
needing to do the md5 hashing in the application layer. I'm curious to
know why you're opposed to this?
NOT EXACTLY OPPOSED -> JUST WANT TO KEEP IT SIMPLE. THE LESS CODE TO
MAINTAIN -> THE BETTER. WOULD RATHER RELY ON DATABASE SYSTEM TO PERFORM
ENCRYPTION TECHNIQUE IF POSSIBLE..

I'm keen to hear other peoples views on the cleanest way to authenticate
users...
ME TOO. THERE'S A LIMITED AMOUNT OF QUALITY INFORMATION ON USING PHP WITH
POSTGRESQL OUT THERE..

Cheers
PEACE

Matthew.
LUKE



--
Matthew Horoschun
Network Administrator
CanPrint Communications Pty. Ltd.

Mobile:        0417 282 378
Direct:        (02) 6295 4544
Telephone:    (02) 6295 4422
Facsimile:     (02) 6295 4473




pgsql-php by date:

Previous
From: Joe Conway
Date:
Subject: Re: Password Encryption to replicate MySQL PASSWORD function
Next
From: "Luke Woollard"
Date:
Subject: Re: Password Encryption to replicate MySQL PASSWORD function