|
From: Tomas V. <tv...@fu...> - 2012-12-30 20:59:12
|
Hi,
I'm learning SQLObject - checking if we could use it on our projects,
and I got stuck at hashing passwords inside the database.
Imagine a simple table with info about users:
CREATE TABLE users (
id INT PRIMARY KEY,
login TEXT NOT NULL UNIQUE,
pwdhash TEXT NOT NULL
)
where "pwdhash" is a hashed password. We're using PostgreSQL and we
usually handle this inside the database using a pgcrypto module, that
provides various hash/crypto functions. An insert into the table then
looks like this
INSERT INTO users VALUES (1, 'login', crypt('mypassword',
gen_salt('bf')))
which generates a salt, computes the hash and stores that into a single
text column (salt+hash). The authentication then looks like this:
SELECT id, login FROM users WHERE login = 'login' AND pwdhash =
crypt('mypassword', pwdhash)
which reuses the salt stored in the column.
I'm investigating if we could do this with SQLObject, but it seems to
me the answer is 'no'. I see it's possible to define magic attributes,
but that's not enough as I need to rewrite the SQL (to add the calls to
the crypt/gen_salt functions). I've done similar evaluations with
SQLAlchemy and it supports 'hybrid values' and 'type decorators' to do
this.
Is it possible to do something similar in SQLObject or do I have to
move the functionality to the application level?
regards
Tomas
|
