2009/10/19 Dave Page <dpage@pgadmin.org>:
> On Mon, Oct 19, 2009 at 8:54 AM, Pavel Stehule <pavel.stehule@gmail.com> wrote:
>> I dislike write access to app name guc for user too. It's not safe.
>> Maybe only super user can do it?
>
> That'll render it pretty useless, as most applications wouldn't then
> be able to set/reset it when it makes sense to do so.
But application can do it simply via connection string, no? Mostly
applications has connection string in configuration, so I don't see
problem there. And if I would to allow access, then I could to wrap
setting to security definer function.
I see this as security hole. It allows special SQL injection.
Regards
Pavel Stehule
>
>
> --
> Dave Page
> EnterpriseDB UK: http://www.enterprisedb.com
>