Re: Application name patch - v2

On Mon, Oct 19, 2009 at 01:00:28PM +0100, Dave Page wrote:
> On Mon, Oct 19, 2009 at 12:57 PM, Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> wrote:
> > It is not practical. I'll log errors. Usually SQL injection generates
> > lot of errors. Loging all statements has not sense. What is difference
> > bad and good SQL statement.? Maybe multistatements are good candidates
> > for log as possible attackers statements. On highly load databases
> > loging all statements significantly increase load :(
>
> Ahh, I see.
>
> >> My point is, that the query to change the app name is logged using the
> >> *original* app name, thus it will not be discarded by the log analysis
> >> tools in your scenario.
> >>
> >
> > I thing, so change of original name should generate warning.
>
> Well, if other people think that's necessary, it's certainly possible.

I have clients working around the lack of this feature by simply prepending
a single line comment to their sql in the application to supply the app name.
eg:

-- monthly_report monthly_process.py:524
select wev from foo;

This feature would be very handy, but not if it requires special permission
to use it.

-dg

--
David Gould daveg(at)sonic(dot)net 510 536 1443 510 282 0869
If simplicity worked, the world would be overrun with insects.