Hi,
I'm learning SQLObject - checking if we could use it on our projects,
and I got stuck at hashing passwords inside the database.
Imagine a simple table with info about users:
CREATE TABLE users (
id INT PRIMARY KEY,
login TEXT NOT NULL UNIQUE,
pwdhash TEXT NOT NULL
)
where "pwdhash" is a hashed password. We're using PostgreSQL and we
usually handle this inside the database using a pgcrypto module, that
provides various hash/crypto functions. An insert into the table then
looks like this
INSERT INTO users VALUES (1, 'login', crypt('mypassword',
gen_salt('bf')))
which generates a salt, computes the hash and stores that into a single
text column (salt+hash). The authentication then looks like this:
SELECT id, login FROM users WHERE login = 'login' AND pwdhash =
crypt('mypassword', pwdhash)
which reuses the salt stored in the column.
I'm investigating if we could do this with SQLObject, but it seems to
me the answer is 'no'. I see it's possible to define magic attributes,
but that's not enough as I need to rewrite the SQL (to add the calls to
the crypt/gen_salt functions). I've done similar evaluations with
SQLAlchemy and it supports 'hybrid values' and 'type decorators' to do
this.
Is it possible to do something similar in SQLObject or do I have to
move the functionality to the application level?
regards
Tomas
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_123012
_______________________________________________
sqlobject-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/sqlobject-discuss
