[SOLVED] Re: Auth user with postgresql

Giuseppe Tofoni gt0057 at gmail.com
Wed Feb 22 22:33:05 UTC 2012


Hi all,

Thanks to everyone who helped me to solve the problem.
I tried with these three solutions and they worked perfectly.

PHP and Postgresql
$pass =crypt($password, '$1$')
UPDATE usertable SET pwd='$pass' WHERE user='$user';

Postgresql only
UPDATE usertable SET pwd=crypt('mypass', gen_salt('md5')) WHERE user='username';

Nginx
postgres_query   "SELECT user FROM usertable  WHERE user=$user AND
pwd=crypt($pass, pwd)";

Best Regards

Giuseppe

2012/2/22 Edho Arief <edho at myconan.net>:
> On Wed, Feb 22, 2012 at 9:03 AM, Max <nginxyz at mail.ru> wrote:
>>
>> No, they are not, because PHP and Python are using invalid salts, despite
>> the fact that they shouldn't. Each value in the 0-63 range is represented
>> by a printable salt character in the "./0-9A-Za-z" range. You are using an
>> invalid salt character ('$'), which the Postgresql crypt() function silently
>> maps to value 0, which is represented by the character '.' in the salt, so
>> your '1$2NVPu8Urs82' hash is actually the result of crypt('multilab', '1.'),
>> but with the original invalid salt '1$' prepended.
>>
>> According to the official PHP documentation, the PHP crypt() function
>> should fail if the salt contains at least one invalid character, but
>> it obviously doesn't, so you should make sure to verify the salt
>> validity before calling the crypt() function.
>>
>> If your users are likely to have usernames that contain characters
>> other than "./0-9A-Za-z", then you should use the Postgresql function
>> gen_salt() instead of substr($user, 1, 2) when setting passwords:
>>
>> postgres_query "UPDATE usertable SET pwd=crypt($pass, gen_salt('des'))
>> WHERE user=$user";
>>
>
> Don't forget that des password hashing is limited to 8 characters.
> Anything beyond that is ignored.
>
> $ echo '<?php echo crypt("12345678", "ad")."\n" ?>' | php
> adBh37ptDUT2o
> $ echo '<?php echo crypt("123456789", "ad")."\n" ?>' | php
> adBh37ptDUT2o
>
> It's better to use something more modern like bcrypt (gen_salt('bf',
> 8) in postgresql). If you want to hash it in php, import phpass[1]
> PasswordHash to get the gen_salt equivalent function since php doesn't
> seem to provide any.
>
> [1] http://www.openwall.com/phpass/
>
> --
> O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx



More information about the nginx mailing list