Re: MAY I HAVE YOUR ASSISTANCE

 

> -----Mensaje original-----
> De: pgsql-sql-owner@postgresql.org 
> [mailto:pgsql-sql-owner@postgresql.org] En nombre de Gary Chambers
> Enviado el: Lunes, 01 de Septiembre de 2008 11:31
> Para: D'Arcy J.M. Cain
> CC: jameskitambara@yahoo.co.uk; pgsql-sql@postgresql.org
> Asunto: Re: [SQL] MAY I HAVE YOUR ASSISTANCE
> 
> >> I have one problem with the user table. I want to hide the 
> password for the users.
> 
> Here's what I did, which requires using the contrib/pgcrypto 
> extension:
> 
> CREATE FUNCTION encryptpw() RETURNS TRIGGER AS $encryptpw$ BEGIN
>         NEW.password = CRYPT(NEW.password, GEN_SALT('md5'));
>         RETURN NEW;
> END;
> $encryptpw$
> 
> CREATE TRIGGER trg_encryptpw BEFORE INSERT OR UPDATE ON 
> assignees FOR EACH ROW EXECUTE PROCEDURE encryptpw();
> 
> Comments, suggestions, criticisms?
> 
> -- Gary Chambers
> 

The weakness of this solution is that your password might be send in the
clear through the network as the encription ocurrs in the database. I
suggest the encryption be enforced at the application or secure the
connection with ssl.