On Sun, Jul 03, 2005 at 12:57:54PM -0400, Tom Lane wrote:
> Marko Kreen <marko@l-t.ee> writes:
> > As for the crypt() case, lets say you have a new user with
> > hashed password field NULL. In addition, you have client
> > program that compares crypt() result with hashed field
> > itself, in addition it handles NULL's as empty string.
> > Result: it is possible to login with any password.
> > Lots of assumptions but in eg. PHP case they are all filled.
>
> A NULL password field is intended to have exactly that effect, no?
Not necessarily -- it may mean the user was just created, or it was
"deactivated" by setting the password to NULL. Yes, this last thing is
foolish, but people do it anyway ...
--
Alvaro Herrera (<alvherre[a]surnet.cl>)
"The only difference is that Saddam would kill you on private, where the
Americans will kill you in public" (Mohammad Saleh, 39, a building contractor)