2009/10/19 Dave Page <dpage@pgadmin.org>:
> On Mon, Oct 19, 2009 at 9:36 AM, Pavel Stehule <pavel.stehule@gmail.com> wrote:
>> Then we have to divide this value to two independent values like
>> application_name and application_state.
>
> How does that make any difference? That just means we have two values,
> at least one of which is still userset, and means an additional field
> in the logs and stats view etc.
>
>>>> I see this as security hole. It allows special SQL injection.
>>>
>>> How so?
>>>
>> You change identity. If any application is vulnerable to SQL
>> injection, then this value is nice goal.
>
> Are you saying that if your application is vulnerable, then the user
> may be able to masquerade as something else? If that's the case (and
> it's a problem for you), then there's a good chance you've got far
> bigger problems to worry about.
>
> This is not intended as a security mechanism, merely as a convenient
> way to identify what a backend is being used for. It doesn't remove
> any of the existing properties of the connection that the user cannot
> change (PID, current query, current user, host IP etc).
There are some log parser's and analysers. So people use reduced log
often. The reductions rules should be based on application name. Why
not? And when somebody modifies to appliacation name, then these logs
finish in '/dev/null.
regards
Pavel Stehule
>
>
> --
> Dave Page
> EnterpriseDB UK: http://www.enterprisedb.com
>
