[PARTIAL SOLVED] Re: Auth user with postgresql

Max nginxyz at mail.ru
Tue Feb 21 19:11:37 UTC 2012



21 февраля 2012, 20:45 от Giuseppe Tofoni <gt0057 at gmail.com>:
>
> In PHP I used    crypt($pass, CRYPT_STD_DES) and I tried with the
> following statement

CRYPT_STD_DES is just a constant that indicates whether standard
DES crypt() is availlable, so you should not use it as the salt - or if
you do, the salt will be "1" (or "0" if standard DES crypt() is not
available). You may want to use something like this instead:

if (CRYPT_STD_DES == 1) {
    $salt = substr($username, 0, 2);
    $encrypted_password = crypt($password, $salt);
}

You should regenerate your .htpasswd file using this approach
because the Apache htpasswd uses a random salt instead of
the first two characters of the username,

> 
> postgres_query    "SELECT user FROM usertable WHERE user=$user AND
> pwd=crypt($pass, substr(pwd, 1, 2))";

You should never use any part of whatever you're encrypting as the salt 
because it greatly reduces encryption strength / entropy. By using the
first two characters of the password as the salt, you're revealing them
because the salt is stored in the first two characters of the resulting
crypt() hash:

crypt("test", "te") generates "teH0wLIpW0gyQ"
crypt("test", "XX") generates "XXF2OrGyU2fzk"

So you may want to use something like this:

postgres_query    "SELECT user FROM usertable WHERE user=$user AND
pwd=crypt($pass, substr($user, 1, 2))";

Max


More information about the nginx mailing list