2009/10/19 Dave Page <dp...@pgadmin.org>: > On Mon, Oct 19, 2009 at 10:45 AM, Pavel Stehule <pavel.steh...@gmail.com> > wrote: > >> sure, you have to fix fulnerable application. But with some >> unsophisticated using %a and using wrong tools, the people can be >> blind and don't register an SQL injection attack. > > If they're logging the statements (which they presumably are if > looking for unusual activity), then they'll see the attack: > > dp...@myapp: LOG: connection authorized: user=dpage database=postgres > dp...@myapp: LOG: statement: set application_name='hax0red'; > dp...@hax0red: LOG: disconnection: session time: 0:00:20.152 > user=dpage database=postgres host=[local] >
this is bad solution. yes, I can found probmlematics rows, but I'll get ten or more larger log. This is available only when loging of application name changes depend on own configuration setting. Regards Pavel > > -- > Dave Page > EnterpriseDB UK: http://www.enterprisedb.com > -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
