Human-guided, AI-assisted coding for secure SQL table development- Proof of Concept
medium.com

Human-guided, AI-assisted coding for secure SQL table development- Proof of Concept

Matthew L. Matthew L.

Matthew L.

Published Mar 17, 2023
+ Follow

There is a lot of talk on LinkedIn and in the media about how AI is changing the world. I believe this to be true, but think that the panic surrounding how AI will replace humans is unfounded. AI is a powerful tool, but useless without the guiding hand of informed humans.

AI is powerful because it takes the labor out of code development. However, it's not a replacement for developers because they have the knowledge on how to implement, modify, and troubleshoot code solutions based on the specific need case of an organization.

That being said, I've been working on a method for developing a secure SQL table to store usernames, passwords, etc. by leveraging my knowledge of #cybersecurity, #sql, #ai, #logic, and #learninganddevelopment principles. The cool thing about this method is that it only requires a little knowledge in each area.

I have a transcript that shows the steps I took to get to the output below and how modifying the inputs improved the output over time. If there is interest, I can publish the transcript showing the process.

The objective of this post is to get some feedback on the efficiency and security of the #code (DB: postgreSQL, formatted w/Notepad++).

Please share your feedback, knowledge, and tips in the comments! 

CREATE TABLE secure_use
       (
              user_id SERIAL PRIMARY KEY
            , username      VARCHAR(50) NOT NULL UNIQUE
            , salt          VARCHAR(128) NOT NULL
            , password_hash VARCHAR(128) NOT NULL
            , created_at    TIMESTAMP WITH TIME ZONE DEFAULT NOW()
            , updated_at    TIMESTAMP WITH TIME ZONE DEFAULT NOW()
       )
;


-- Grant SELECT permission to an application user
GRANT
SELECT
ON
       TABLE secure_user TO my_application_user
;


-- Generate a random salt value for each new user and hash their password with bcrypt
CREATE OR REPLACE FUNCTION create_user
(
in_username   VARCHAR(50)
, in_password VARCHAR(255)
) RETURNS VOID
AS
$$
DECLARE
salt_value VARCHAR(128);
BEGIN
-- Generate a random salt value
SELECT
       gen_salt('bf', 10)
INTO
       salt_value
;


-- Hash the password with the salt value using bcrypt
INSERT INTO secure_user
       (username
            , salt
            , password_hash
       )
       VALUES
       (in_username
            , salt_value
            , crypt(in_password, salt_value)
       )
;


END;
$$ LANGUAGE plpgsql;
-- Verify a user's password by checking the hashed value
CREATE OR REPLACE FUNCTION verify_password
(
in_username   VARCHAR(50)
, in_password VARCHAR(255)
) RETURNS BOOLEAN
AS
$$
DECLARE
stored_password_hash VARCHAR(128);
BEGIN
-- Get the stored password hash and salt for the specified username
SELECT
       password_hash
FROM
       secure_user
WHERE
       username = in_username
INTO
       stored_password_hash
;


-- Check if the password hash matches the stored value
RETURN stored_password_hash = crypt(in_password, stored_password_hash);
END;
$$ LANGUAGE plpgsql;
-- Use prepared statements to prevent SQL injection attacks
PREPARE insert_user (VARCHAR(50), VARCHAR(255)) AS
INSERT INTO secure_user
       (username
            , salt
            , password_hash
       )
       VALUES
       ($1
            , $2
            , $3
       )
;


PREPARE select_user (VARCHAR(50)) AS
SELECT
       password_hash
FROM
       secure_user
WHERE
       username = $1
;


-- Use parameterized queries to protect against SQL injection and keep sensitive information separate from SQL code
CREATE OR REPLACE FUNCTION create_user
(
in_username   VARCHAR(50)
, in_password VARCHAR(255)
) RETURNS VOID
AS
$$
DECLARE
salt_value VARCHAR(128);
BEGIN
-- Generate a random salt value
SELECT
       gen_salt('bf', 10)
INTO
       salt_value
;


-- Hash the password with the salt value using bcrypt
EXECUTE insert_user(in_username, salt_value, crypt(in_password, salt_value));
END;
$$ LANGUAGE plpgsql;
CREATE OR REPLACE FUNCTION verify_password
(
in_username   VARCHAR(50)
, in_password VARCHAR(255)
) RETURNS BOOLEAN
AS
$$
DECLARE
stored_password_hash VARCHAR(128);
BEGIN
-- Get the stored password hash and salt for the specified username
EXECUTE select_user(in_username) INTO stored_password_hash;
-- Check if the password hash matches the stored value
RETURN stored_password_hash = crypt(in_password, stored_password_hash);
END;
$$ LANGUAGE plpgsql;r

To view or add a comment, sign in

More articles by Matthew L.

  • Canary - A security skill & framework for Claude Code
    Mar 25, 2026

    Canary - A security skill & framework for Claude Code

    I recently developed a #Claude skill that answers questions that most developers, security researchers, and tech…

  • SQL Inner Join Tutorial
    Mar 13, 2023

    SQL Inner Join Tutorial

    Preface I often think to myself, "If only this material was presented as xyz, I could grasp it better!" Now, with the…

    2 Comments
  • Using ChatGPT for Timely Phishing Analysis
    Mar 1, 2023

    Using ChatGPT for Timely Phishing Analysis

    Can you use chatGPT to perform quick and meaningful #cybersecurity analysis of #phishing emails for #cyberdefense…

  • My Level Effect CDA Bootcamp Experience
    Dec 15, 2022

    My Level Effect CDA Bootcamp Experience

    Those that know me are aware that I have been in a career transition for the last few months, and those that don't are…

  • Phishing, Malware, Initial Access, and Privilege Escalation
    Nov 2, 2022

    Phishing, Malware, Initial Access, and Privilege Escalation

    I received an email from “Amazon” a few days back with an attachment named “INFO-34-1928-APD-4233-119.pdf”, so I…

    1 Comment
See all articles

Explore content categories