◉ Data IntegrityCode FlawEXP-007

The Unquoted CSV

When commas destroyed the boundary between fields

Early 1990s · Visual Basic / Perl · 5 min read

Pattern Classification

Class

⧫ Boundary Collapse

Sub-pattern

Format Dissolution

Invariant

When data crosses into a system that interprets structure, without being constrained or transformed, it becomes executable.

This Instance

Data contains delimiter characters that collapse the boundary between fields

Detection Heuristic

If user input appears inside a query, command, template, object stream, or prompt without an intermediate representation that separates data from structure — you are not passing data. You are modifying structure.

Same Pattern Class

The Concatenated Query The Embedded Script The Overflowed Return The Trusting Deserializer The Instructed Hallucination

Why It Persists

Every new execution context recreates this pattern. SQL gave way to NoSQL, HTML to templates, cookies to JWTs, forms to APIs, prompts to agents. The language changes. The failure does not.

Pattern Connections

↔ Cross-Domain Analog

The Concatenated Query

Both collapse the boundary between data and structure through delimiter/syntax confusion

↔ Cross-Domain Analog

The Hardwired Year

Both are fixed-format data failures from the punch card era. Two-digit years lose century information. Unquoted fields lose delimiter boundaries. Same constraint: 80 columns, every character counts

Year

1993–present

Context

CSV was never designed. It emerged. Mainframe data exports used commas. Spreadsheets read comma-separated files. Every CRM, every ERP, every line-of-business app had an "Export to CSV" button. The format had no specification (RFC 4180 didn't arrive until 2005), no schema, no type system. Everyone agreed on commas. Nobody agreed on anything else.

Who Built This

Every developer who ever wrote an export function. The CSV writer was always the last feature before ship — quick, easy, "just put commas between the fields." The CSV reader was the import function that had to survive whatever garbage the writer produced.

Threat Model at Time

Data integrity. Would the export round-trip correctly? Would the import put the right data in the right columns? Nobody considered the CSV file itself as an attack vector.

Why It Made Sense

CSV is universally readable. Excel opens it. Notepad opens it. Every language has a way to split on commas. The simplicity was the value proposition. No libraries needed. No parsers needed. Just Split(line, ",").

Archaeologist's Note

This pattern has been found in applications built by talented developers at respected organizations across every decade of software history. Its presence in a codebase is not a reflection of the developer who wrote it — it is a reflection of what that developer was taught, what tools they had, and the path that was easiest given what they were taught. The goal is not to find fault. The goal is to find the pattern — before it finds you.

Katie's Law: The developers were not wrong. The shortcut was not wrong. The context changed and the shortcut didn't.

▣ The Foundation▸The Data Vault11 / 11

←Previous Exhibit Museum Map