What really is the line between tricked and asked? Deceit?
Lets go with deceit.
So is asking for book ISBN '1; DROP TABLE books; --' deceitful? Perhaps, that's not an ISBN after all. Is asking for book ISBN [some valid ISBN that you pulled out of your ass, but happens to exist] deceitful? I don't think so. If you are just asking for randomly chosen ISBNs and getting responses, I don't think there is any trickery involved.
In one case you are counting on the system to correctly understand your (validly constructed) request, in the other case you are counting on the system to misinterpret your request in a dangerous fashion.
I'd like to fix up the analogy a bit. The problem isn't that you're asking for a random ISBN numbers; it's that you don't have a library card. The library's electronic catalog won't let you log in without the card, so you just start asking the librarian for random ISBNs and accepting the books he gives you. He doesn't check on your card because no one trained him to do that, but you know that checking out books is meant for card-carrying library members. I sense deceit there.
If I hand the librarian a piece of paper with that SQL-injecting ISBN my culpability depends on whether I was aware of the likely gravity of my actions or whether e.g. I was told to get that piece of paper by a trusted source (e.g. my supervisor) and didn't even read it.
Obviously. If the administrator locked access to matches, nothing could be burned. The admin is responsible for leaving matches open at the library, and allowing the librarian to do as they please.
