10aCRUD

Database Management

Mick McQuaid
mcq@utexas.edu

University of Texas at Austin

10 May 2026

CRUD

  • CRUD stands for Create, Read, Update, and Delete
  • A CRUD app is an app, written in Python, JavaScript, Java or whatever language, designed to manipulate a database through Create, Read, Update, and Delete actions
  • It is the most common kind of database app
  • It is the most common way to manipulate databases

Warning

  • Some CRUD apps allow you to write SQL, which paves the way for SQL injection attacks on the database
  • For example, suppose your app has the query sql SELECT * FROM items WHERE product_id = $id;
  • and someone writes 10;drop table users--
  • There are now no legitimate users
  • The remedy is to use something called prepared statements instead of inserting what someone wrote directly

Prepared statements

  • These help you to validate and sanitize input rather than passing what someone wrote
  • For example, you could check to see if 10;drop table users-- is an integer and disallow it since it is not
  • You could trigger different kinds of actions for malformed input, depending on the likelihood that it is malicious
  • Prepared statements also improve performance if they are called over and over again with different data, since they’re only parsed and compiled once

Problems with CRUD

  • In 2026, many people use LLMs to write CRUD apps
  • These people usually don’t know about robust programming and security practices
  • The results are usually extremely fragile

END

Colophon

This slideshow was produced using quarto

Fonts are Roboto, Roboto Light, and Victor Mono Nerd Font