I am using a Postgres 9.3 database as the background for a web application. I am using PHP 5.5.7 to connect to a database and return JSON for external AJAX calls.
I am trying to decide where to put the user authentication logic.
I am not a security expert; however, I am familiar with PHP's new features password_*(), and I have a strong understanding of what is happening under the hood. I am also familiar with the Postgres extension pgcryptoand its related function crypt().
My question is, does it make sense to use PHP or Postgres for hash passwords?
I was curious how these functions differ, so I made a password hash in PHP and then gave it to Postgres to find out if Postgres uses the same algorithm. Given the same parameters, Postgres returned a different result compared to PHP (not unexpectedly, but with a note).
Php
password_hash('password', PASSWORD_BCRYPT, ["cost" => 15]);
output: $ 2y $ 15 $ o8JufrnVXoob2NKiEGx6.uI4O2D4VcaAmY7WtNq5zPFiJow4KohGu
Postgres
SELECT '$2y$15$o8JufrnVXoob2NKiEGx6.uI4O2D4VcaAmY7WtNq5zPFiJow4KohGu' = crypt('password', '$2y$15$o8JufrnVXoob2NKiEGx6.uI4O2D4VcaAmY7WtNq5zPFiJow4KohGu')
output: false
PHP vs Postgres
Given that these processes are different, I wonder if the other is better? Is one more or less safe?
Other thoughts:
, ( , , ..), , - , . PHP , PHP .
, ; Postgres . - WAL, . .
? ?
.
- ...
, ? ?