On Mon, Oct 19, 2009 at 10:45 AM, Pavel Stehule <pavel.steh...@gmail.com> wrote:
> sure, you have to fix fulnerable application. But with some > unsophisticated using %a and using wrong tools, the people can be > blind and don't register an SQL injection attack. If they're logging the statements (which they presumably are if looking for unusual activity), then they'll see the attack: dp...@myapp: LOG: connection authorized: user=dpage database=postgres dp...@myapp: LOG: statement: set application_name='hax0red'; dp...@hax0red: LOG: disconnection: session time: 0:00:20.152 user=dpage database=postgres host=[local] -- Dave Page EnterpriseDB UK: http://www.enterprisedb.com -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers