Re: [SQLObject] Storing password hashes using built-in functions like PASSWORD() (where available)

Thu, 04 Sep 2008 12:41:11 -0700 

Oleg Broytmann wrote:
>    When the object is being created SQLObject doesn't set attributes one
> by one - it collects all name/value pairs and then issues one INSERT query.
> I.e., self._SO_set_passwd(func.PASSWORD(value)) doesn't access the SQL
> backend and hence doesn't raise an exception; the exception is raised later,
> when SQLObject really does INSERT.
>    See main.py, method _SO_setValue() for details:
> 
>         if self.sqlmeta._creating:
>             self._SO_createValues[name] = dbValue
>             return
> 
>    (I simplified the real code a bit to stress the important points.)
> 
>    self._SO_set_passwd(func.PASSWORD(value)) will issue an immediate UPDATE
> on any subsequent attribute assignment and your try/except will catch it.
> 
>    So for your magic to work you should create an object without a password
> and then update the password:
> 
> c = Credential()
> c.password = 'password'
> 
>    Change 'passwd' to StringCol(default=None).
> 
> Oleg.

That almost did it; I also had to specifically cater for _set_passwd
receiving "None".

For the list archives, here's the method as it works for me:

    def _set_passwd(self, value):
        # if the database has a built-in password hashing function,


        # use it. Otherwise, store a SHA256 password hash


        if value is None:
            self._SO_set_passwd(None)
        else:
            try:
                self._SO_set_passwd(func.PASSWORD(value))
            except OperationalError:
                digest = SHA256.new(value).hexdigest()
                self._SO_set_passwd(digest)


... and then initially create the instance with an empty passwd and
later update it.

Thanks again, Oleg!

Cheers,
Florian

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
sqlobject-discuss mailing list
sqlobject-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlobject-discuss

Reply via email to