[PARTIAL SOLVED] Re: Auth user with postgresql

Edho Arief edho at myconan.net
Wed Feb 22 03:53:41 UTC 2012

On Wed, Feb 22, 2012 at 9:03 AM, Max <nginxyz at mail.ru> wrote:
> No, they are not, because PHP and Python are using invalid salts, despite
> the fact that they shouldn't. Each value in the 0-63 range is represented
> by a printable salt character in the "./0-9A-Za-z" range. You are using an
> invalid salt character ('$'), which the Postgresql crypt() function silently
> maps to value 0, which is represented by the character '.' in the salt, so
> your '1$2NVPu8Urs82' hash is actually the result of crypt('multilab', '1.'),
> but with the original invalid salt '1$' prepended.
> According to the official PHP documentation, the PHP crypt() function
> should fail if the salt contains at least one invalid character, but
> it obviously doesn't, so you should make sure to verify the salt
> validity before calling the crypt() function.
> If your users are likely to have usernames that contain characters
> other than "./0-9A-Za-z", then you should use the Postgresql function
> gen_salt() instead of substr($user, 1, 2) when setting passwords:
> postgres_query "UPDATE usertable SET pwd=crypt($pass, gen_salt('des'))
> WHERE user=$user";

Don't forget that des password hashing is limited to 8 characters.
Anything beyond that is ignored.

$ echo '<?php echo crypt("12345678", "ad")."\n" ?>' | php
$ echo '<?php echo crypt("123456789", "ad")."\n" ?>' | php

It's better to use something more modern like bcrypt (gen_salt('bf',
8) in postgresql). If you want to hash it in php, import phpass[1]
PasswordHash to get the gen_salt equivalent function since php doesn't
seem to provide any.

[1] http://www.openwall.com/phpass/

O< ascii ribbon campaign - stop html mail - www.asciiribbon.org

More information about the nginx mailing list