| From: | Dave Page <dpage(at)pgadmin(dot)org> |
|---|---|
| To: | Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> |
| Cc: | Dimitri Fontaine <dfontaine(at)hi-media(dot)com>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Peter Eisentraut <peter_e(at)gmx(dot)net>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Application name patch - v2 |
| Date: | 2009-10-19 12:00:28 |
| Message-ID: | 937d27e10910190500p3bb31030t849656a9c00fe76@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Mon, Oct 19, 2009 at 12:57 PM, Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> wrote:
> It is not practical. I'll log errors. Usually SQL injection generates
> lot of errors. Loging all statements has not sense. What is difference
> bad and good SQL statement.? Maybe multistatements are good candidates
> for log as possible attackers statements. On highly load databases
> loging all statements significantly increase load :(
Ahh, I see.
>> My point is, that the query to change the app name is logged using the
>> *original* app name, thus it will not be discarded by the log analysis
>> tools in your scenario.
>>
>
> I thing, so change of original name should generate warning.
Well, if other people think that's necessary, it's certainly possible.
--
Dave Page
EnterpriseDB UK: http://www.enterprisedb.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | daveg | 2009-10-19 12:07:17 | Re: Deprecation |
| Previous Message | Pavel Stehule | 2009-10-19 11:57:20 | Re: Application name patch - v2 |