<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Thanks!<br>
<br>
This is great. I'm now implementing this functionality.<br>
<br>
Thank you all.<br>
<br>
You are great!<br>
<br>
Best,<br>
<blockquote
cite="mid:OFC951B8A8(dot)DA173041-ON80257553(dot)005B3A94-80257553(dot)005BE628(at)shropshire(dot)gov(dot)uk"
type="cite"><br>
<font face="sans-serif" size="2">You should always salt your password
hashes.</font>
<br>
<br>
<font face="sans-serif" size="2">Ie randomly generate a salt string,
the store this and the password hash:</font>
<br>
<br>
<font face="sans-serif" size="2"> insert
into auth (user_id, salt, password) values (1,'blah',md5('blah' +
'test'))
;</font>
<br>
<br>
<font face="sans-serif" size="2">then to check the password</font>
<br>
<br>
<font face="sans-serif" size="2"> select
true from auth where user_id = 1 and password = md5( salt + 'test') ;</font>
<br>
<br>
<br>
<font face="sans-serif" size="2">I tend to set a trigger function to
auto generate a salt and hash the password.</font>
<br>
<br>
<br>
<br>
<font face="sans-serif" size="2">If you want to be really secure, use
both a md5 and sha1 hash, snice it has been proved you can generate
hash
collisions so you could use:</font>
<br>
<br>
<font face="sans-serif" size="2"> insert
into auth (user_id, salt, password) values (1,'blah',md5('blah' ||
'test')
|| sha1('blah' || 'test')) ;</font>
<br>
<br>
<font face="sans-serif" size="2">then to check the password</font>
<br>
<br>
<font face="sans-serif" size="2"> select
true from auth where user_id = 1 and password = md5( salt || 'test')
||
sha1( salt || 'test') ;</font>
<br>
<br>
<font face="sans-serif" size="2">Chris Ellis</font>
<br>
<br>
<br>
<br>
<br>
<table width="100%">
<tbody>
<tr valign="top">
<td width="40%"><font face="sans-serif" size="1"><b>"Raymond C.
Rodgers"
<a class="moz-txt-link-rfc2396E" href="mailto:sinful622(at)gmail(dot)com"><sinful622(at)gmail(dot)com></a></b> </font>
<br>
<font face="sans-serif" size="1">Sent by:
<a class="moz-txt-link-abbreviated" href="mailto:pgsql-general-owner(at)postgresql(dot)org">pgsql-general-owner(at)postgresql(dot)org</a></font>
<p><font face="sans-serif" size="1">04/02/2009 14:34</font>
</p>
</td>
<td width="59%">
<table width="100%">
<tbody>
<tr valign="top">
<td>
<div align="right"><font face="sans-serif" size="1">To</font></div>
</td>
<td><font face="sans-serif" size="1">Iñigo Barandiaran
<a class="moz-txt-link-rfc2396E" href="mailto:ibarandiaran(at)vicomtech(dot)org"><ibarandiaran(at)vicomtech(dot)org></a></font>
</td>
</tr>
<tr valign="top">
<td>
<div align="right"><font face="sans-serif" size="1">cc</font></div>
</td>
<td><font face="sans-serif" size="1"><a class="moz-txt-link-abbreviated" href="mailto:pgsql-general(at)postgresql(dot)org">pgsql-general(at)postgresql(dot)org</a></font>
</td>
</tr>
<tr valign="top">
<td>
<div align="right"><font face="sans-serif" size="1">Subject</font></div>
</td>
<td><font face="sans-serif" size="1">Re: [GENERAL] field
with Password</font></td>
</tr>
</tbody>
</table>
<br>
<table>
<tbody>
<tr valign="top">
<td>
<br>
</td>
<td><br>
</td>
</tr>
</tbody>
</table>
<br>
</td>
</tr>
</tbody>
</table>
<br>
<br>
<br>
<font size="3">Iñigo Barandiaran wrote: </font>
<br>
<font size="3">Thanks! <br>
<br>
<br>
Ok. I've found </font><a moz-do-not-send="true"
href="http://256.com/sources/md5/"><font color="blue" size="3"><u>http://256.com/sources/md5/</u></font></a><font
size="3">
library. So the idea is to define in the dataBase a Field of PlainText
type. When I want to insert a new user, I define a password, convert to
MD5 hash with the library and store it in the DataBase. Afterwards, any
user check should get the content of the DataBase of do the inverse
process
with the library. Is it correct? <br>
<br>
Thanks so much!!!!!! <br>
<br>
Best, <br>
</font>
<br>
<font size="3">Well, you can use the built-in md5 function for this
purpose.
For instance, you could insert a password into the table with a
statement
like:<br>
</font>
<br>
<font size="3">insert into auth_data (user_id, password) values (1,
md5('test'));</font>
<br>
<font size="3"><br>
And compare the supplied password with something like:<br>
</font>
<br>
<font size="3">select true from auth_data where user_id = 1 and
password
= md5('test');</font>
<br>
<font size="3"><br>
You don't need to depend on an external library for this functionality;
it's built right into Postgres. Personally, in my own apps I write in
PHP,
I use a combination of sha1 and md5 to hash user passwords, without
depending on Postgres to do the hashing, but the effect is basically
the
same.<br>
<br>
Raymond</font>
<br>
<p><span style="font-family: 'Courier New'; font-size: 8pt;">******************************************************************************</span></p>
<p style="line-height: 12pt;"><span
style="font-family: 'Helv'; font-size: 9.7pt; color: rgb(0, 0, 0);"><b>If
you are not the intended recipient of this email please do not send it
on</b></span></p>
<p style="line-height: 12pt;"><span
style="font-family: 'Helv'; font-size: 9.7pt; color: rgb(0, 0, 0);"><b>to
others, open any attachments or file the email locally. </b></span></p>
<p style="line-height: 12pt;"><span
style="font-family: 'Helv'; font-size: 9.7pt; color: rgb(0, 0, 0);"><b>Please
inform the sender of the error and then delete the original email.</b></span></p>
<p style="line-height: 12pt;"><span
style="font-family: 'Helv'; font-size: 9.7pt; color: rgb(0, 0, 0);"><b>For
more information, please refer to
<a class="moz-txt-link-freetext" href="http://www.shropshire.gov.uk/privacy.nsf">http://www.shropshire.gov.uk/privacy.nsf</a></b></span></p>
<p><span style="font-family: 'Courier New'; font-size: 8pt;">******************************************************************************</span></p>
<p><span style="font-family: 'Courier New'; font-size: 8pt;"> </span></p>
</blockquote>
<br>
</body>
</html>