undefined | Better HN

Skip to content

Top Best Ask Show New Jobs

0 pointschrsig4y ago0 comments

With a sql injection, you have to willfully provide an input with the hope that it results in injection

my understanding is that the reporter looked at the source that was being sent as intended -- no manipulation of input by the client

0 comments

6 comments · 2 top-level

dtgriscom4y ago· 2 in thread

You send a query string to a server with the hopes that the server will give you what you want. Isn't that the World Wide Web?

Proving "intent" is much harder than proving action. And, to me it seems bad for the law to enforce based on whether the server's authors "wanted" to provide a specific piece of information.

chii4y ago

Intent is something that is considered in murder homicide cases, so why not in these cases too?

_y5hn4y ago

Because murder is a crime, intent is not.

Supermancho4y ago· 2 in thread

> With a sql injection, you have to willfully provide an input with the hope that it results in injection

If I send you a link that happens to include arguments that happen to be a SQL injection (or my cat steps on my keyboard in just the right way), there was no intent.

Your intent by crafting such a link was clear.

Supermancho4y ago

Thats a third party. Youre mixing responsibility and ascribing it to an innocent party. That was the obvious point, with an incidental mention of another (random input) case where innocence is a reasonable deduction. Therefore, it is not necessary for an sql injection attack to be connected with the intent of the actor. Period.

From US caselaw, theres a little history about the not chasing after infected botnet hosts as bad actors.

j / k navigate · click thread line to collapse