2009/10/19 Dave Page <dpage@pgadmin.org>:
> On Mon, Oct 19, 2009 at 10:45 AM, Pavel Stehule <pavel.stehule@gmail.com> wrote:
>
>> sure, you have to fix fulnerable application. But with some
>> unsophisticated using %a and using wrong tools, the people can be
>> blind and don't register an SQL injection attack.
>
> If they're logging the statements (which they presumably are if
> looking for unusual activity), then they'll see the attack:
>
> dpage@myapp: LOG: connection authorized: user=dpage database=postgres
> dpage@myapp: LOG: statement: set application_name='hax0red';
> dpage@hax0red: LOG: disconnection: session time: 0:00:20.152
> user=dpage database=postgres host=[local]
>
this is bad solution. yes, I can found probmlematics rows, but I'll
get ten or more larger log. This is available only when loging of
application name changes depend on own configuration setting.
Regards
Pavel
>
> --
> Dave Page
> EnterpriseDB UK: http://www.enterprisedb.com
>