Comment by butlike
2 months ago
Wouldn't admitting this in court pin you with some sort of negligence? (if you knew having a schema revealed would compromise your app in some way).
2 months ago
Wouldn't admitting this in court pin you with some sort of negligence? (if you knew having a schema revealed would compromise your app in some way).
"Defense in depth" is an easy argument to make. I sure hope I don't have any SQL injection holes, but I can't prove it with 100% certainty.
I can't imagine how the schema would reveal SQL injection holes. Maybe other holes, though. Any poor choices for PKs, dumb use of MD5 computed fields, insecure random, misuse of NULL, weird uniqueness constraints (this also ties back to NULLs), vulnerable extensions, wrong timestamp type, too-small integer type, varchar limits, predictable index speed...
Edit: More NULL, or maybe lack thereof cause they use the string "NULL" instead? https://news.ycombinator.com/item?id=20676904
> I can't imagine how the schema would reveal SQL injection holes.
It wouldn't. I'm just assuming that the thrust of the hypothetical negligence accusation was "The schema is useless unless you have SQL injection holes. So give us the schema or admit you are negligent!" But you're correct that there are other justifications one could make to keep the schema secret.
The schema can provide an insight into what the application developer was thinking when writing the code, which in turn can direct an attacker towards tricky corners where mistakes might have been made.
1 reply →
This is the city government here. The people arguing the case didnt write the code and dont have time to look through all their code but one thing they do know is that it was written by monkeys. They probably have some level of reason to believe their are SQL injections available in the code.