Hi Luke,
I've just been playing with this myself (as you've seen). I'm no
expert... so maybe somebody else can jump in if what I say is incorrect.
On Wednesday, January 22, 2003, at 02:00 PM, Luke Woollard wrote:
How is this easiily achieved in Postgresql? (as there is no 'PASSWORD'
function)
As far as I know there aren't any similar functions available in
PostgreSQL. Additionally, I don't see anything wrong with sticking that
logic on the application-side rather than in the database.
Of course, if you do your access-control on the application side, then
you're vulnerable to faults in your PHP code potentially causing
complete database compromise.
Is there any way to replicate this with PostgreSQL or a better way to
authenticate users with both databases (md5 or similar) ????
One of the reasons we've moved from MySQL to PostgreSQL was to provide
more stringent security by using views and schemas. We decided that the
safest method was to create real users in the PostgreSQL system user
table, and then let Postgres worry about authenticating users. Then,
even if your PHP code is flawed, the SQL commands still execute with
only the users permissions.
This doesn't solve your original problem though. You still end up
needing to do the md5 hashing in the application layer. I'm curious to
know why you're opposed to this?
I'm keen to hear other peoples views on the cleanest way to
authenticate users...
Cheers
Matthew.
--
Matthew Horoschun
Network Administrator
CanPrint Communications Pty. Ltd.
Mobile: 0417 282 378
Direct: (02) 6295 4544
Telephone: (02) 6295 4422
Facsimile: (02) 6295 4473