Using the raw query as span name feels unsafe

[bixu]

I recently had a security incident at my org related to the default behavior of the library.

Specifically, the default behavior of using the DB statement as the value for the name span attribute caused a leak of sensitive information (from inside the statement) to our telemetry vendor.

Would it make more sense to at least truncate or sanitize the DB statement before using it in name? Reversing the current logic, maybe consider using the statement as the value for name only as an opt-in, rather than as the default?

[kuklyy]

I don't know the exact solution that could help this library, but I want to add more context.

It is a common practice to include a DB statement as a dimension in database monitoring in both instrumentation libraries and cloud database providers.

For instance, the AWS provides an analytics dashboard that has DB statement as a primary dimension.