Postgres Pro
Downloads
Home   >   mailing lists

Re: password function for PostgreSQL - Mailing list pgsql-novice

From Joel Burton
Subject Re: password function for PostgreSQL
Date
Msg-id Pine.LNX.4.30.0110141925510.9304-100000@temp.joelburton.com
Whole thread Raw
In response to password function for PostgreSQL  (hodges@xprt.net)
List pgsql-novice
Tree view 
On Sun, 14 Oct 2001 hodges@xprt.net wrote:

> Looking for a postgresql function similar to the password function in
> MySQL.  In MySQL putting  --password($password)-- in an insert query
> encrypts the value of $password that is stored in the table.  You can
> use password($password) to compare a password entered by a user in a
> later query with the stored value of $password.
>
> This is not a password for a user registered in pg_shadow, rather it
> is to limit someone going in through a public web interface to only
> those records in a table that are associated with a certain login and
> password combination.
>
> The web interface is written with PHP so I may have to simply encrypt
> the password with a PHP function before storing or comparing it.
>
> Tom
> Tom Hodges, hodges@xprt.net or tom_hodges@yahoo.com

Tom --

Three possibilities, one straightforward and current, one better, and one
cool and bleeding
edge:


(1) the function crypt(text, text) can be used like the MySQL function
password(). You would use this like:

SELECT COUNT(*) FROM tblUser WHERE username='...' AND
password=CRPYT(<password>, <salt>)

crypt() takes two parameters--string to encrypt and salt. 'man 3 salt' on
a Unix box will give you the full story.


(2) crypt uses the crypt() algorithm, which is cryptographically weak. PG
can use stronger algorithms. Look in the contrib/ directory for pgcrypto,
which will let you use algorithms like md5, etc. (RPM users: install the
PostgreSQL-contribs RPM).


(3) (perhaps even better): you can use the new field type "chkpass", which
stores a hash of a password, which you can compare against. This has the
advantage that you don't have to call the CRYPT() or md5() functions;
instead you can do a normal comparison, like:

SELECT COUNT(*) FROM tblUser WHERE username='...' AND password='...'

and it will handle the crypting/unencrpying for you. This is a new type,
in the contribs/ directory of the 7.2devel version.


Good luck w/your web app, and HTH.

--

Joel BURTON | joel@joelburton.com | joelburton.com | aim: wjoelburton
Independent Knowledge Management Consultant

pgsql-novice by date:

Previous
From: "Josh Berkus"
Date:
Subject: Re: password function for PostgreSQL
Next
From: Herb Blacker
Date:
Subject: Loading current_user and current_timestamp using COPY