2013/7/4 Durchholz, Joachim <[email protected]>
> > > Is there any value in providing a local implementation of this function > > Not unless all other SQL functions are implemented on the Java side. > Otherwise, people won't look for an implementation in Jooq, and find the > Stackoverflow answer before they find the Jooq implementation. > > > so that the password string is not sent across the wire? > > That's generally good practice, yes. > The algo used is not that powerful as can be seen here > > > > http://www.diknows.com/2011/05/mysql-password-method-in-java/ > > I see. > Just two rounds - not good. > No salt - that's horrible. > > Jooq could implement this to help those who need to interoperate with > existing legacy code and data that uses PASSWORD. > MySQLDSL.password() provides access to the MySQL PASSWORD() function. > Everybody else should be deterred from using that though, probably via a > (link to a) warning that PASSWORD offers almost no security, roughly > equivalent to a smallish speed bump, And that as of 2013, the > recommendation is to employ PBDKF2 with an SHA-2 hash instead - warnings > that don't tell people what to do instead aren't very helpful :-) Yes. I have a couple of "not very helpful" warnings (about syntax integrity, SQL injection) throughout the plain SQL API. They're essentially just disclaimers in the likely event of someone still doing it wrong :-) Nonetheless, I agree with the feeling of encryption stuff being out of scope for jOOQ. Either you use MySQL (or other RDBMS') functions and you accept the fact that the password is sent over the wire, just as you accept the fact that PASSWORD isn't as good as SHA-2, or any tailor-made solution. Or you will use some more sophisticated Java tool to encrypt your passwords before sending them over the wire, in case of which you will do the encryption before passing the value to jOOQ. Or, as a friend of mine, committer to Apache Oltu, says: "Stay out of the password business" -- You received this message because you are subscribed to the Google Groups "jOOQ User Group" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
