Re: field with Password
От | Iñigo Barandiaran |
---|---|
Тема | Re: field with Password |
Дата | |
Msg-id | 4989C64D.2080008@vicomtech.org обсуждение исходный текст |
Ответ на | field with Password (Iñigo Barandiaran <ibarandiaran@vicomtech.org>) |
Список | pgsql-general |
Thanks!<br /><br /> This is great. I'm now implementing this functionality.<br /><br /> Thank you all.<br /><br /> You aregreat!<br /><br /> Best,<br /><blockquote cite="mid:OFC951B8A8.DA173041-ON80257553.005B3A94-80257553.005BE628@shropshire.gov.uk"type="cite"><br /><font face="sans-serif"size="2">You should always salt your password hashes.</font><br /><br /><font face="sans-serif" size="2">Ierandomly generate a salt string, the store this and the password hash:</font><br /><br /><font face="sans-serif"size="2"> insert into auth (user_id, salt, password) values (1,'blah',md5('blah' + 'test')) ;</font><br/><br /><font face="sans-serif" size="2">then to check the password</font><br /><br /><font face="sans-serif"size="2"> select true from auth where user_id = 1 and password = md5( salt + 'test') ;</font><br/><br /><br /><font face="sans-serif" size="2">I tend to set a trigger function to auto generate a salt and hashthe password.</font><br /><br /><br /><br /><font face="sans-serif" size="2">If you want to be really secure, use botha md5 and sha1 hash, snice it has been proved you can generate hash collisions so you could use:</font><br /><br /><fontface="sans-serif" size="2"> insert into auth (user_id, salt, password) values (1,'blah',md5('blah' || 'test')|| sha1('blah' || 'test')) ;</font><br /><br /><font face="sans-serif" size="2">then to check the password</font><br/><br /><font face="sans-serif" size="2"> select true from auth where user_id = 1 and password =md5( salt || 'test') || sha1( salt || 'test') ;</font><br /><br /><font face="sans-serif" size="2">Chris Ellis</font><br/><br /><br /><br /><br /><table width="100%"><tbody><tr valign="top"><td width="40%"><font face="sans-serif"size="1"><b>"Raymond C. Rodgers" <a class="moz-txt-link-rfc2396E" href="mailto:sinful622@gmail.com"><sinful622@gmail.com></a></b></font><br /><font face="sans-serif" size="1">Sent by:<a class="moz-txt-link-abbreviated" href="mailto:pgsql-general-owner@postgresql.org">pgsql-general-owner@postgresql.org</a></font><p><fontface="sans-serif" size="1">04/02/200914:34</font></td><td width="59%"><table width="100%"><tbody><tr valign="top"><td><div align="right"><fontface="sans-serif" size="1">To</font></div></td><td><font face="sans-serif" size="1">Iñigo Barandiaran<a class="moz-txt-link-rfc2396E" href="mailto:ibarandiaran@vicomtech.org"><ibarandiaran@vicomtech.org></a></font></td></tr><tr valign="top"><td><divalign="right"><font face="sans-serif" size="1">cc</font></div></td><td><font face="sans-serif" size="1"><aclass="moz-txt-link-abbreviated" href="mailto:pgsql-general@postgresql.org">pgsql-general@postgresql.org</a></font></td></tr><trvalign="top"><td><div align="right"><fontface="sans-serif" size="1">Subject</font></div></td><td><font face="sans-serif" size="1">Re: [GENERAL]field with Password</font></td></tr></tbody></table><br /><table><tbody><tr valign="top"><td><br /></td><td><br/></td></tr></tbody></table><br /></td></tr></tbody></table><br /><br /><br /><font size="3">Iñigo Barandiaranwrote: </font><br /><font size="3">Thanks! <br /><br /><br /> Ok. I've found </font><a href="http://256.com/sources/md5/"moz-do-not-send="true"><font color="blue" size="3"><u>http://256.com/sources/md5/</u></font></a><fontsize="3"> library. So the idea is to define in the dataBase aField of PlainText type. When I want to insert a new user, I define a password, convert to MD5 hash with the library andstore it in the DataBase. Afterwards, any user check should get the content of the DataBase of do the inverse processwith the library. Is it correct? <br /><br /> Thanks so much!!!!!! <br /><br /> Best, <br /></font><br /><font size="3">Well,you can use the built-in md5 function for this purpose. For instance, you could insert a password into thetable with a statement like:<br /></font><br /><font size="3">insert into auth_data (user_id, password) values (1, md5('test'));</font><br/><font size="3"><br /> And compare the supplied password with something like:<br /></font><br /><fontsize="3">select true from auth_data where user_id = 1 and password = md5('test');</font><br /><font size="3"><br />You don't need to depend on an external library for this functionality; it's built right into Postgres. Personally, inmy own apps I write in PHP, I use a combination of sha1 and md5 to hash user passwords, without depending on Postgresto do the hashing, but the effect is basically the same.<br /><br /> Raymond</font><br /><p><span style="font-family:'Courier New'; font-size: 8pt;">******************************************************************************</span><pstyle="line-height: 12pt;"><spanstyle="font-family: 'Helv'; font-size: 9.7pt; color: rgb(0, 0, 0);"><b>If you are not the intended recipientof this email please do not send it on</b></span><p style="line-height: 12pt;"><span style="font-family: 'Helv';font-size: 9.7pt; color: rgb(0, 0, 0);"><b>to others, open any attachments or file the email locally. </b></span><pstyle="line-height: 12pt;"><span style="font-family: 'Helv'; font-size: 9.7pt; color: rgb(0, 0, 0);"><b>Pleaseinform the sender of the error and then delete the original email.</b></span><p style="line-height: 12pt;"><spanstyle="font-family: 'Helv'; font-size: 9.7pt; color: rgb(0, 0, 0);"><b>For more information, please refer to<a class="moz-txt-link-freetext" href="http://www.shropshire.gov.uk/privacy.nsf">http://www.shropshire.gov.uk/privacy.nsf</a></b></span><p><span style="font-family:'Courier New'; font-size: 8pt;">******************************************************************************</span><p><spanstyle="font-family: 'CourierNew'; font-size: 8pt;"> </span></blockquote><br />
В списке pgsql-general по дате отправления: