[chrsig]

With a sql injection, you have to willfully provide an input with the hope that it results in injection

my understanding is that the reporter looked at the source that was being sent as intended -- no manipulation of input by the client

[dtgriscom]

You send a query string to a server with the hopes that the server will give you what you want. Isn't that the World Wide Web?

Proving "intent" is much harder than proving action. And, to me it seems bad for the law to enforce based on whether the server's authors "wanted" to provide a specific piece of information.

[chii]

Intent is something that is considered in murder homicide cases, so why not in these cases too?

[_y5hn]

Because murder is a crime, intent is not.

[chii]

To differentiate between murder and manslaughter (say, due to negligence), the idea of intent (or state of mind) is taken into account.

[_y5hn]

There is nothing illegal about reading what was sent to you though.

[chii]

If the data was sent as part of normal operation, then yes, it should be fine. But the post above is talking about incrementing an ID in a query, or inject SQL.

The intent of the person doing the incrementing id, or sql injection, is very much required to be taken in to consideration when considering whether it is an illegal act of computer trespass.

[egberts1]

Intent to murder is now a misdemeanor… in Maryland.

[_y5hn]

Plans for crime can be a crime though. Law is complicated! :P

[Supermancho]

> With a sql injection, you have to willfully provide an input with the hope that it results in injection

If I send you a link that happens to include arguments that happen to be a SQL injection (or my cat steps on my keyboard in just the right way), there was no intent.

[wvenable]

Your intent by crafting such a link was clear.

[Supermancho]

Thats a third party. Youre mixing responsibility and ascribing it to an innocent party. That was the obvious point, with an incidental mention of another (random input) case where innocence is a reasonable deduction. Therefore, it is not necessary for an sql injection attack to be connected with the intent of the actor. Period.

From US caselaw, theres a little history about the not chasing after infected botnet hosts as bad actors.

[wvenable]

If you commit wire fraud through an innocent intermediary, you're still guilty of wire fraud. If you give someone a link that's an attack and they unknowingly run it, then you're the one at fault not the person clicking the link.

I think it's pretty straight forward.

[Supermancho]

> an SQL injection could also be "just a query parameter" and the server would haply reply with a 200. (true)

> With a sql injection, you have to willfully provide an input with the hope that it results in injection (false)

> If I send you a link that happens to include arguments that happen to be a SQL injection (or my cat steps on my keyboard in just the right way), there was no intent. (true)

> Your intent by crafting such a link was clear. (irrelevant)

You can have SQL injection without intent, as I have adequately explained.

This redirection to an "original actor" is a bad faith argument toward finding if there is someone culpable. The poster I responded to, made a bad general assertion and I stand by it. GL with whatever.

[chrsig]

You're kind of just describing why it's hard to prosecute based on intent though.

For the purposes of distinguishing between if something is an exploit or not, it doesn't seem too relevant