Re: contrib/pgcrypto functions not IMMUTABLE?

On Sun, Jul 03, 2005 at 12:57:54PM -0400, Tom Lane wrote:
> Marko Kreen <marko@l-t.ee> writes:

> > As for the crypt() case, lets say you have a new user with
> > hashed password field NULL.  In addition, you have client
> > program that compares crypt() result with hashed field
> > itself, in addition it handles NULL's as empty string.
> > Result: it is possible to login with any password.
> > Lots of assumptions but in eg. PHP case they are all filled.
> 
> A NULL password field is intended to have exactly that effect, no?

Not necessarily -- it may mean the user was just created, or it was
"deactivated" by setting the password to NULL.  Yes, this last thing is
foolish, but people do it anyway ...

-- 
Alvaro Herrera (<alvherre[a]surnet.cl>)
"The only difference is that Saddam would kill you on private, where the
Americans will kill you in public" (Mohammad Saleh, 39, a building contractor)