On Sun, Jul 03, 2005 at 12:57:54PM -0400, Tom Lane wrote: > Marko Kreen <marko@l-t.ee> writes:
> > As for the crypt() case, lets say you have a new user with > > hashed password field NULL. In addition, you have client > > program that compares crypt() result with hashed field > > itself, in addition it handles NULL's as empty string. > > Result: it is possible to login with any password. > > Lots of assumptions but in eg. PHP case they are all filled. > > A NULL password field is intended to have exactly that effect, no? Not necessarily -- it may mean the user was just created, or it was "deactivated" by setting the password to NULL. Yes, this last thing is foolish, but people do it anyway ... -- Alvaro Herrera (<alvherre[a]surnet.cl>) "The only difference is that Saddam would kill you on private, where the Americans will kill you in public" (Mohammad Saleh, 39, a building contractor) ---------------------------(end of broadcast)--------------------------- TIP 3: if posting/reading through Usenet, please send an appropriate subscribe-nomail command to [EMAIL PROTECTED] so that your message can get through to the mailing list cleanly