);DROP TABLE textbooks;--: An Argument for SQL Injection Coverage in Database Textbooks
Abstract
In this position paper, we look at the representation of SQL injection within undergraduate database textbooks, and argue that both discussion of security issues and security of example code must be improved. SQL injection is a common database exploit which takes advantage of programs that incorrectly incorporate user input into SQL statements. Teaching students how to write parameterized SQL statements is key to preventing this wide-spread attack. We look at the current editions of seven textbooks used at the top 50 US CS programs, and analyze their coverage of SQL injection, use of parameterized queries, and correctness of examples. We find a wide variety in the amount of coverage given to the topic, from none at all to in-depth coverage of defenses. Additionally, we find cases of SQL injectable code given as examples of how to correctly write queries in two of seven textbooks.
Repository Citation
Taylor, Cynthia, and Sahell Sakharkar. "'); DROP TABLE textbooks;--: An Argument for SQL Injection Coverage in Database Textbooks." The 50th ACM Technical Symposium on Computer Science Education (SIGCSE 19), February 27-March 2, 2019, Minneapolis, MN.
Publisher
Association for Computing Machinery (ACM)
Publication Date
2-1-2019
Publication Title
SIGCSE '19
Department
Computer Science
Document Type
Article
DOI
https://dx.doi.org/10.1145/3287324.3287429
Keywords
Computer science education
Language
English
Format
text
