On Mon, Oct 19, 2009 at 9:36 AM, Pavel Stehule <pavel.steh...@gmail.com> wrote: > Then we have to divide this value to two independent values like > application_name and application_state.
How does that make any difference? That just means we have two values, at least one of which is still userset, and means an additional field in the logs and stats view etc. >>> I see this as security hole. It allows special SQL injection. >> >> How so? >> > You change identity. If any application is vulnerable to SQL > injection, then this value is nice goal. Are you saying that if your application is vulnerable, then the user may be able to masquerade as something else? If that's the case (and it's a problem for you), then there's a good chance you've got far bigger problems to worry about. This is not intended as a security mechanism, merely as a convenient way to identify what a backend is being used for. It doesn't remove any of the existing properties of the connection that the user cannot change (PID, current query, current user, host IP etc). -- Dave Page EnterpriseDB UK: http://www.enterprisedb.com -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
