Title

);DROP TABLE textbooks;--: An Argument for SQL Injection Coverage in Database Textbooks

Abstract

In this position paper, we look at the representation of SQL injection within undergraduate database textbooks, and argue that both discussion of security issues and security of example code must be improved. SQL injection is a common database exploit which takes advantage of programs that incorrectly incorporate user input into SQL statements. Teaching students how to write parameterized SQL statements is key to preventing this wide-spread attack. We look at the current editions of seven textbooks used at the top 50 US CS programs, and analyze their coverage of SQL injection, use of parameterized queries, and correctness of examples. We find a wide variety in the amount of coverage given to the topic, from none at all to in-depth coverage of defenses. Additionally, we find cases of SQL injectable code given as examples of how to correctly write queries in two of seven textbooks.

Publisher

Association for Computing Machinery (ACM)

Publication Date

2-1-2019

Publication Title

SIGCSE '19

Department

Computer Science

Document Type

Article

DOI

10.1145/3287324.3287429

Keywords

Computer science education

Language

English

Format

text

This document is currently not available here.

Share

COinS