I Went to SQL Injection Court

Original Article ↗ Hacker News Discussion ↗

Local politics and data activism

  • Several comments highlight how responsive local politics can be versus national, with examples of getting surveillance oversight ordinances and other policies passed via Facebook groups and similar message boards.
  • A parallel thread discusses zoning reform: eliminating single-family zoning, enabling “missing middle” housing, and pushing upzoning from specific suburbs toward Chicago or even statewide, with debate over feasibility in affluent suburbs.

Why database schemas matter for FOIA

  • Many see schemas as the “headers on government spreadsheets”: essential metadata that makes modern, app-backed records legible enough to request in a targeted way.
  • Without schemas, FOIA requesters are forced into vague natural-language guesses, which agencies can reject as “research” or “unduly burdensome.”
  • Commenters stress that more and more public records now live only inside vendor databases; schemas are a key to keeping these systems FOIA‑able.

Court’s ruling and statutory ambiguity

  • The Illinois Supreme Court ultimately held that schemas are exempt as “file layouts,” based partly on a very generic dictionary definition of “schema.”
  • Several commenters think this reading is technically wrong but legally decisive: once the high court calls schemas per‑se exempt, the only real fix is amending the statute.
  • There’s extended frustration over ambiguous drafting (“would” vs “could,” dangling modifiers) and the sense that language games, not security, decided the outcome.

Security debate: does schema disclosure help attackers?

  • Long back‑and‑forth over how much schemas aid SQL injection:
    • One side argues schemas are usually outputs of successful SQLi, not prerequisites, and that proper defenses (parameterization, WAFs, logging) make obscurity irrelevant.
    • Others counter that knowing table/column names can meaningfully speed up or even enable exploitation in constrained or “blind” scenarios, and thus has at least marginal offensive value.
  • Several note that many open-source or self‑hosted systems necessarily expose their schemas yet still operate securely.

Motivations, suspicions, and workarounds

  • The FOIA requester says a tip suggested certain vendors’ tickets may be secretly auto‑voided; knowing the schema could reveal whether such a mechanism exists.
  • Some suspect broader worries: schemas might expose biased or dubious fields (e.g., flags for exemptions) or make it easier to prove discriminatory enforcement.
  • Suggested workarounds—requesting one row per table, natural-language “data dictionaries,” or introspection queries—run into FOIA’s “no new records” rule and the new schema exemption.

FOIA practice, resistance, and reform ideas

  • Commenters recount agencies quoting massive fees, dragging cases out for years, or reflexively denying requests even when they’ll likely lose. Penalties and fee‑shifting exist but are seen as too weak when officials are spending public money.
  • Ideas raised: strengthening penalties for bad‑faith denials, explicitly requiring schema disclosure, clarifying that “file layout” shouldn’t cover logical design, and broader “public money → open source” requirements for government software.