Обсуждение: Authenticating user

Hi all !

I am coding an application where I need to identify an user with username
and password. His credentials are checked against the corresponding
postgresql database user. I have been reading a good tutorial at devshed.com
about how to do this but it is done in mysql in the example. The author
claims that the best way to check if the user is valid is by sending this
query:
$query = "SELECT id from user WHERE username = '$user' AND
password = PASSWORD('$pass')";
This way I could see if the user is valid by counting the results returned
by the query without returning the credentials info.

I kind of need a PASSWORD function for postgresql. Does it exist? I have
been searching the docs but couldn't find it.

I have tried:
$query="SELECT usename from pg_user WHERE usename ='$user' AND
password='$pass';
but it won't work. The only way it works is by doing this query:
$query="SELECT usename from pg_shadow WHERE usename ='$user' AND
password='$pass';
as the postgres user but I feel that I shouldn't be using the superuser or
the security could be in risk.

I would appreciate any comments, thank you.

Adrian Tineo

Adrian,

> Yes, that's what I did in the end. Thank you.
> I didn't want that solution at first because I wanted to separate the
> error for bad credentials from the error for db server not running. I
> managed to do that by "output buffering" the error message and
> analysing the string.

FYI, we're using pam_auth together with a remote NFS authentication
server to validate the users of our latest intranet project.  It works
flawlessly.

-Josh Berkus