My child's name is "Robert'); drop table *;--" Am I in trouble?

Question

(Source: https://xkcd.com/327/)

So with the upcoming birth of my first child, I suggested the name "Robert'); drop table *;--". While I was quickly told that wasn't going to happen, I have to wonder what could happen if he was actually named that.

For the less technical, this name contains what is called a SQL injection attack. If the name is entered into a poorly designed SQL system, it could potentially execute a sql command and drop all tables (i.e. cause the organization's IT manager to have a somewhat bad day, depending on how good their backups are).

So assuming I am able to get this name on his birth certificate and get his SSN assigned under that name (let us assume that the government has been able to build their system such that this name can be handled without issue), what would happen if his name fulfills its intended purpose when signing him up for day care? In that while signing little Bobby tables up for day care, his name wiped out all their data, and because of their lack of a good IT policy, they have no backups, causing no small amount of trouble for the day care.

What would I be charged with or sued for in this case?

I assume I am on the hook for some sort of malicious destruction of data or somehow liable for the loss of data.

Would this being his name afford any sort of protection? Or would the fact that it was selected intentionally to cause damage be an issue?

Jurisdiction: United States, pick any state you feel like.

Answer 1

Your kid is not in trouble; he's a minor. You're in trouble.

A criminal case for the charges a prosecutor would bring, i.e. destruction of property (the data) or for a relevant cyber or computer crime (malware, etc.), and/or a civil case for damages due to the destruction of the data would both hinge on one point: the concept of intent. See intent - Wex Legal Information Institute and Civil Law vs. Criminal Law: The Differences | Rasmussen College.

Did you knowingly intend to cause damage or data loss with the structure of the name? It's pretty clear you did. The structure of a name that can invoke an SQL command is not in any sense a standard name in spelling or format or punctuation. So how would you convince the jury or judge that you had no intent when you named your kid?

The possible poor design of a data system that didn't sanitize inputs is no defense. Saying the door was unlocked so I assume the homeowners didn't care if I trashed their house will get you laughed into jail or on the hook for a stiff civil judgement.

Answer 2

No, your future first child would not get into trouble, since they cannot be held responsible for the initial name gave to them by another.

You, as the 'responsible' parent may be held responsible in states such as

• Connecticut

where

not for fraudulent or nefarious purposes and does not infringe on the rights of another person,

is a condition (if if legal in one state, but used in another where it is not).

---

Robert'); drop table *;--

Would not be allowed in some US-States, since it contains symbols that are not allowed:

) ; *

• Alabama, Arizona, Arkansas, Colorado, Connecticut, Georgia, Idaho
• Kansas, Massachusetts, Michigan, Minnesota, Montana, New Jersey
• New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma
• South Dakota, Texas, West Virginia

---

In many U.S. states, hyphens and apostrophe are the only two symbols personal names can officially contain. In some computer systems and in the machine-readable zone of a passport, they are omitted (Mary-Kate O'Neill → Mary Kate ONeill)

---

Sources:

• Naming in the United States
• Craziest Baby Naming Laws By State

Answer 3

That string of characters is not acceptable as a name in some jurisdictions in the first place.

germany will block the name on the basis that the name is on one hand prone to damaging the child, and on the other hand is unprintable by the Bundesdruckerei. Insted, your child will only be registered as the closest equivalent, Robert Drop Table.

japan will block the name, because it does not use Hiragana, Katakana or approved kanji. The closest would be the phonetic ロバート ドロップ テーブル (Robāto doroppu tēburu) or, using the proper words for drop and spreadhseet ロバート 落とす 表計算 (Robāto Otosu Omotekeisan)

Answer 4

My child's name is “Robert'); drop table *;--” Is he in trouble?

When signing up, the name itself is unlikely to cause system --and hence legal-- issues. That is, in most cases that scenario of injection would be a non sequitur. Consider the following:

1. Database implementations typically store first, middle, and last name in separate fields, whence the middle (or last) name starting with drop table would be surrounded by quotes (and thus, be disabled) when inserting into table(s).

2. Tables are set up --via DDL-- so as to prevent important fields from being null (or have length equal to zero). Accordingly, code prior to the insert command ought to parse the entry so as to avoid abends from the database. Decent parsing code would catch entries for field middle_name (or last_name) which consist of a supposedly empty name '' followed by the drop command.

3. I am not sure DDL commands accept wildcards as arguments. Of course, that could vary among RDBMSs, I haven't tried this, and I would have to start my test db (no plans to do that right now, haha).

Thus, in the event that signing up does cause a mess, the parent should conduct discovery on the implementation of the system to examine its robustness. Depending on the results of discovery, the parent could support the argument that the database was so weak that proximate or but for causation shall be ruled out. Similarly, poor design & implementation of the database is a mitigating factor, which would reduce the liability --if any-- traceable to the father's choice of name.

I started emphasizing the phrase "when signing up" because harm and liability might ensue if/when the kid's entire name is typed afterwards in other fields that are more "free format". As you surely know, there are fields of much greater length and intended for extended description, narrative, or elaboration of an event. Whereas one may expect reasonable robustness on crucial/key fields of a database table, that expectation does not necessarily hold for free-format fields. That being said, a short version of the kid's long name would most likely be used in free-format fields.

What if the name was unintentionally selected?

(Per initial version of your post ...)

That argument would be unavailing. It is just not credible that (1) a person with no background in databases would choose a name of that sort; and (2) a person with background in databases "did not know" that such last name could harm the database/catalog.