[PARTIAL SOLVED] Re: Auth user with postgresql

Max nginxyz at mail.ru
Wed Feb 22 02:03:09 UTC 2012

21 февраля 2012, 23:22 от Giuseppe Tofoni <gt0057 at gmail.com>:
> The password is correct, the problem is postgresql vers. 9.0.3 not "nginx",
> es:
> authuser=# select crypt('multilab', '1$'), pwd from usertable where
> user ='multilab' ;
> crypt     | pwd
> ---------------+---------------
> 1$2NVPu8Urs82 | 1$Ln7ocLxd/.k
> (1 row)
> pwd =1$Ln7ocLxd/.k
> salt =1$
> PHP calculated and in python crypt.crypt('multilab', pwd[:2] are are correct)

No, they are not, because PHP and Python are using invalid salts, despite
the fact that they shouldn't. Each value in the 0-63 range is represented
by a printable salt character in the "./0-9A-Za-z" range. You are using an
invalid salt character ('$'), which the Postgresql crypt() function silently
maps to value 0, which is represented by the character '.' in the salt, so
your '1$2NVPu8Urs82' hash is actually the result of crypt('multilab', '1.'),
but with the original invalid salt '1$' prepended.

According to the official PHP documentation, the PHP crypt() function
should fail if the salt contains at least one invalid character, but
it obviously doesn't, so you should make sure to verify the salt
validity before calling the crypt() function.

If your users are likely to have usernames that contain characters
other than "./0-9A-Za-z", then you should use the Postgresql function
gen_salt() instead of substr($user, 1, 2) when setting passwords:

postgres_query "UPDATE usertable SET pwd=crypt($pass, gen_salt('des'))
WHERE user=$user";


More information about the nginx mailing list