When going through some course projects, there were some deliverables using a SQL database.
If you are just hacking something to quickly test or demonstrate a thing, you do not necessarily have to do things as they should be done. Course projects are usually not quick hacks, but should demonstrate the things you have been taught and things you have actually learned.
So, for course projects using SQL databases, this means that you should do things so that the database is not exposed to simple SQL injections. Or that you should actually encrypt confidential data, such as passwords saved in database tables.
Why I am being such an asshole, expecting these to be done properly in student course projects?
- Because the way you implement things, demonstrates what you have learned. Demonstrating that in course projects is kind of expected.
- The things you learn going through the study program courses, should be carried on from course to course, accumulating skills and knowledge.
- Because the things you consistently design and implement, is embedded into your deeper knowledge and skills and is then easier to take into use when needed in real life settings.
- Because when knowing at least the basics of these things, you perhaps do not expose real apps and systems to these vulnerabilities when you go to work in the industry. Something that happens way too often…
So, if you do use a SQL database in your course work, do the basic things the way they should be done. Use prepared queries instead of exposing the app to SQL injections. Encrypt the confidential data, at least the user passwords.
I made a demo app to show how this is done, and a (Finnish) YouTube video to demonstrate the things in action to anyone learning database programming basics.
Yes, I know this demo app is not perfect either. But the idea is to demonstrate (simply) how to consider these very basic, small things in database programming. Small things that still have a considerable impact on app security.
