Re: MAY I HAVE YOUR ASSISTANCE

From: "Fernando Hevia" <fhevia(at)ip-tel(dot)com(dot)ar>
To: "'Gary Chambers'" <gwchamb(at)gmail(dot)com>, "'D'Arcy J(dot)M(dot) Cain'" <darcy(at)druid(dot)net>
Cc: <jameskitambara(at)yahoo(dot)co(dot)uk>, <pgsql-sql(at)postgresql(dot)org>
Subject: Re: MAY I HAVE YOUR ASSISTANCE
Date: 2008-09-01 15:42:40
Message-ID: 076f01c90c49$5e157420$8f01010a@iptel.com.ar
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-sql

> -----Mensaje original-----
> De: pgsql-sql-owner(at)postgresql(dot)org
> [mailto:pgsql-sql-owner(at)postgresql(dot)org] En nombre de Gary Chambers
> Enviado el: Lunes, 01 de Septiembre de 2008 11:31
> Para: D'Arcy J.M. Cain
> CC: jameskitambara(at)yahoo(dot)co(dot)uk; pgsql-sql(at)postgresql(dot)org
> Asunto: Re: [SQL] MAY I HAVE YOUR ASSISTANCE
>
> >> I have one problem with the user table. I want to hide the
> password for the users.
>
> Here's what I did, which requires using the contrib/pgcrypto
> extension:
>
> CREATE FUNCTION encryptpw() RETURNS TRIGGER AS $encryptpw$ BEGIN
> NEW.password = CRYPT(NEW.password, GEN_SALT('md5'));
> RETURN NEW;
> END;
> $encryptpw$
>
> CREATE TRIGGER trg_encryptpw BEFORE INSERT OR UPDATE ON
> assignees FOR EACH ROW EXECUTE PROCEDURE encryptpw();
>
> Comments, suggestions, criticisms?
>
> -- Gary Chambers
>

The weakness of this solution is that your password might be send in the
clear through the network as the encription ocurrs in the database. I
suggest the encryption be enforced at the application or secure the
connection with ssl.

In response to

Responses

Browse pgsql-sql by date

  From Date Subject
Next Message Gary Chambers 2008-09-01 18:36:38 Re: MAY I HAVE YOUR ASSISTANCE
Previous Message Gary Chambers 2008-09-01 14:31:25 Re: MAY I HAVE YOUR ASSISTANCE