On Mon, Oct 19, 2009 at 01:00:28PM +0100, Dave Page wrote: > On Mon, Oct 19, 2009 at 12:57 PM, Pavel Stehule <pavel.steh...@gmail.com> > wrote: > > It is not practical. I'll log errors. Usually SQL injection generates > > lot of errors. Loging all statements has not sense. What is difference > > bad and good SQL statement.? Maybe multistatements are good candidates > > for log as possible attackers statements. On highly load databases > > loging all statements significantly increase load :( > > Ahh, I see. > > >> My point is, that the query to change the app name is logged using the > >> *original* app name, thus it will not be discarded by the log analysis > >> tools in your scenario. > >> > > > > I thing, so change of original name should generate warning. > > Well, if other people think that's necessary, it's certainly possible.
I have clients working around the lack of this feature by simply prepending a single line comment to their sql in the application to supply the app name. eg: -- monthly_report monthly_process.py:524 select wev from foo; This feature would be very handy, but not if it requires special permission to use it. -dg -- David Gould da...@sonic.net 510 536 1443 510 282 0869 If simplicity worked, the world would be overrun with insects. -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
