TechnicalDepth — Software Archaeology Platform

Museum Wire

Law 0 · Katie's LawEvery system is shaped by the human drive to do less work. This is not a flaw. It is the economic force that produces all software — and all software failure.◆Law I · Boundary CollapseWhen data crosses into a system that interprets structure, without being constrained, it becomes executable.◆◆ 2026 IncidentAxios. 70 Million Downloads a Week. North Korea Inside.◆Law II · Ambient AuthorityWhen a system trusts the presence of a credential instead of verifying the intent behind it, authentication becomes indistinguishable from authorization.◆◈ AXM-001Set Theory — Membership, Boundaries, and Belonging◆Law III · Transitive TrustWhen a system inherits trust from a source it did not verify, the attack surface extends to everything that source touches.◆◆ 2026 IncidentClaude Code — The Accept-Data-Loss Flag◆Law IV · Complexity AccretionSystems do not become complex. They accumulate complexity — one reasonable decision at a time — until no single person can hold the whole in their head.◆Law V · Temporal CouplingCode that assumes sequential execution, stable state, or consistent timing will fail the moment concurrency, scale, or latency proves the assumption wrong.◆◆ 2026 IncidentCopy Fail — 732 Bytes to Root on Every Linux Distribution◆◈ AXM-002Boolean & Propositional Logic — True, False, and the Excluded Middle◆Law VI · Observer InterferenceWhen the system that monitors health becomes a participant in the system it monitors, observation becomes a failure vector.◆◆ 2025Amazon Kiro — The 13-Hour Outage◆◆ 2025Operation Chrysalis: The Notepad++ Supply Chain Hijack◆◆ 2025Replit Agent — The Vibe Code Wipe◆◆ 2025Shai-Hulud — The npm Worm That Ate Its Own Ecosystem◆◆ 2024Air Canada Chatbot — The Policy That Wasn't◆◆ 2024Change Healthcare — One-Third of US Healthcare, One Missing MFA◆◆ 2024CrowdStrike — The Security Update That Broke the World◆◆ 2024Google Gemini Image Generation — The Six-Day Pause◆◆ 2024XZ Utils — The Two-Year Infiltration◆◆ 20233CX — The Supply Chain That Ate Another Supply Chain◆◆ 2023Amazon Prime Video — The Per-Frame State Machine◆◆ 2023Bing Sydney — The Chatbot That Went Rogue◆◆ 2023Samsung ChatGPT Leak — The Employee Who Pasted the Secret◆EFFODE · LEGE · INTELLEGE◆Law 0 · Katie's LawEvery system is shaped by the human drive to do less work. This is not a flaw. It is the economic force that produces all software — and all software failure.◆Law I · Boundary CollapseWhen data crosses into a system that interprets structure, without being constrained, it becomes executable.◆◆ 2026 IncidentAxios. 70 Million Downloads a Week. North Korea Inside.◆Law II · Ambient AuthorityWhen a system trusts the presence of a credential instead of verifying the intent behind it, authentication becomes indistinguishable from authorization.◆◈ AXM-001Set Theory — Membership, Boundaries, and Belonging◆Law III · Transitive TrustWhen a system inherits trust from a source it did not verify, the attack surface extends to everything that source touches.◆◆ 2026 IncidentClaude Code — The Accept-Data-Loss Flag◆Law IV · Complexity AccretionSystems do not become complex. They accumulate complexity — one reasonable decision at a time — until no single person can hold the whole in their head.◆Law V · Temporal CouplingCode that assumes sequential execution, stable state, or consistent timing will fail the moment concurrency, scale, or latency proves the assumption wrong.◆◆ 2026 IncidentCopy Fail — 732 Bytes to Root on Every Linux Distribution◆◈ AXM-002Boolean & Propositional Logic — True, False, and the Excluded Middle◆Law VI · Observer InterferenceWhen the system that monitors health becomes a participant in the system it monitors, observation becomes a failure vector.◆◆ 2025Amazon Kiro — The 13-Hour Outage◆◆ 2025Operation Chrysalis: The Notepad++ Supply Chain Hijack◆◆ 2025Replit Agent — The Vibe Code Wipe◆◆ 2025Shai-Hulud — The npm Worm That Ate Its Own Ecosystem◆◆ 2024Air Canada Chatbot — The Policy That Wasn't◆◆ 2024Change Healthcare — One-Third of US Healthcare, One Missing MFA◆◆ 2024CrowdStrike — The Security Update That Broke the World◆◆ 2024Google Gemini Image Generation — The Six-Day Pause◆◆ 2024XZ Utils — The Two-Year Infiltration◆◆ 20233CX — The Supply Chain That Ate Another Supply Chain◆◆ 2023Amazon Prime Video — The Per-Frame State Machine◆◆ 2023Bing Sydney — The Chatbot That Went Rogue◆◆ 2023Samsung ChatGPT Leak — The Employee Who Pasted the Secret◆EFFODE · LEGE · INTELLEGE◆

Keyboard Navigation
W↑
A←
S↓
D→
or arrow keys · M for map · Q to exit

← Back to The Archive
2003activeinjection
Use Prepared Statements for SQL QueriesSeparate SQL structure from user-supplied data using parameterized queries
2 min read · Official Docs
Status
Still Active
Why It Made Sense
Parameterized queries structurally prevent SQL injection by ensuring user input is always treated as data, never as SQL syntax. The database engine compiles the query structure separately from the parameter values.
By 2003, the security community had converged on a consensus: the only reliable defense against SQL injection was to structurally separate the query from its parameters. Prepared statements accomplish this by sending the SQL template and the user data in separate channels — the database compiles the query plan first, then binds the data as literal values. The data can never modify the query structure because it is never part of the query structure.
Why it replaced concatenation: Escaping and sanitization proved brittle — they required developers to anticipate every possible bypass in every database engine. Prepared statements moved the defense from the application (where it was inconsistently applied) to the database protocol (where it was structurally enforced).
Why it persists as best practice: Despite ORMs and query builders adding higher-level abstractions, prepared statements remain the foundational mechanism. When an ORM generates a query, it uses prepared statements internally. When developers drop to raw SQL (and they always do), prepared statements are the last line of defense.
The limitation: Prepared statements protect data parameters but cannot parameterize table names, column names, or ORDER BY directions. These require whitelisting — a separate discipline that many developers forget once they believe parameterization has solved the problem.
Sources Where This Was Taught
OWASP SQL Injection Prevention Cheat SheetPHP PDO DocumentationJava JDBC PreparedStatement API
Languages Affected
PHPJavaPythonC#JavaScript
Related
◉ Best Practice
Load All Data at Application Startup
1992 · superseded
◉ Best Practice
Build SQL Queries with String Concatenation
1998 · inverted
◉ Best Practice
Lazy Load Data On Demand
2005 · active
◉ Best Practice
Apply the Circuit Breaker Pattern
2007 · active
◉ Best Practice
Decompose Everything into Microservices
2014 · superseded
◉ Best Practice
Implement Health Check Endpoints
2015 · active
◆ Disaster
The Morris Worm — The First Internet Pandemic
1988 · breach
◆ Disaster
TJX — The First Mega-Breach
2007 · breach
◆ Disaster
Heartland Payment Systems — 130 Million Cards
2008 · breach
◆ Disaster
Equifax — 147 Million Americans Exposed
2017 · breach
◆ Disaster
Log4Shell — The Library That Logged Its Way to RCE
2021 · breach
◆ Disaster
McKinsey Lilli — The Prompt Layer Was Always the Target
2026 · breach
◎ Hero
Georgia Tech
@georgiatech · pioneer, builder, breaker
◎ Hero
Ken Thompson
@ken · pioneer, builder, breaker
◎ Hero
Larry Ellison
@ellison · pioneer, builder
◎ Hero
Larry Wall
@larry · pioneer, builder
◎ Hero
Microsoft
@microsoft · builder
◎ Hero
Netscape
@netscape · pioneer, builder
◎ Hero
OWASP Foundation
@owasp · voice, builder
◎ Hero
Tim Berners-Lee
@timbl · pioneer, builder
◈ Exhibit
Set Theory — Membership, Boundaries, and Belonging
AXM-001
◈ Exhibit
The Concatenated Query
EXP-001
◈ Exhibit
The Embedded Script
EXP-013
◈ Exhibit
The Instructed Hallucination
EXP-018