);DROP TABLE textbooks;--: An Argument for SQL Injection Coverage in Database Textbooks
In this position paper, we look at the representation of SQL injection within undergraduate database textbooks, and argue that both discussion of security issues and security of example code must be improved. SQL injection is a common database exploit which takes advantage of programs that incorrectly incorporate user input into SQL statements. Teaching students how to write parameterized SQL statements is key to preventing this wide-spread attack. We look at the current editions of seven textbooks used at the top 50 US CS programs, and analyze their coverage of SQL injection, use of parameterized queries, and correctness of examples. We find a wide variety in the amount of coverage given to the topic, from none at all to in-depth coverage of defenses. Additionally, we find cases of SQL injectable code given as examples of how to correctly write queries in two of seven textbooks.
Taylor, Cynthia, and Sahell Sakharkar. "'); DROP TABLE textbooks;--: An Argument for SQL Injection Coverage in Database Textbooks." The 50th ACM Technical Symposium on Computer Science Education (SIGCSE 19), February 27-March 2, 2019, Minneapolis, MN.
Association for Computing Machinery (ACM)
Computer science education