On Mon, Oct 19, 2009 at 10:45 AM, Pavel Stehule <pavel.stehule@gmail.com> wrote:
> sure, you have to fix fulnerable application. But with some
> unsophisticated using %a and using wrong tools, the people can be
> blind and don't register an SQL injection attack.
If they're logging the statements (which they presumably are if
looking for unusual activity), then they'll see the attack:
dpage@myapp: LOG: connection authorized: user=dpage database=postgres
dpage@myapp: LOG: statement: set application_name='hax0red';
dpage@hax0red: LOG: disconnection: session time: 0:00:20.152
user=dpage database=postgres host=[local]
--
Dave Page
EnterpriseDB UK: http://www.enterprisedb.com