Merge branch 'main' of github.com:UCSB-Library-Research-Data-Services/bren-eds213

Author: brunj7

_quarto.yml

@@ -35,9 +35,9 @@ website:
           - modules/week05/hw-05-2.qmd
           - modules/week05/hw-05-3.qmd
           - modules/week05/hw-05-4.qmd
-          #- modules/week06/hw-06-1.qmd
-          #- modules/week06/hw-06-2.qmd
-          #- modules/week06/hw-06-3.qmd
+          - modules/week06/hw-06-1.qmd
+          - modules/week06/hw-06-2.qmd
+          - modules/week06/hw-06-3.qmd
           #- modules/week07/hw-07-1.qmd
           #- modules/week07/hw-07-2.qmd
           #- modules/week07/hw-07-3.qmd

modules/week06/hw-06-1.qmd

@@ -2,19 +2,58 @@
 title: "Week 6 - Little Bobby Tables"
 ---
 
-View this classic XKCD cartoon:
+**Please use Canvas to return the assignments: <https://ucsb.instructure.com/courses/26293/assignments/361496>**
+
+In class we discussed how to parameterize a query and then insert values for the parameter(s):
+
+```         
+query_template = "SELECT ... WHERE Species = ? AND ageMethod = ?"
+species = "wolv"
+age_method = "float"
+cur.execute(query_template, [species, age_method])
+```
+
+The bare question marks in the template are placeholders. The database driver substitutes the supplied parameter values before submitting to the database, appropriately adding any quoting and character escaping as necessary.
+
+You may decide you want to use your own Python string substitution instead:
+
+```         
+query_template = "SELECT ... WHERE Species = '%s' AND ageMethod = '%s'"
+species = "wolv"
+age_method = "float"
+cur.execute(query_template % (species, age_method))
+```
+
+Before you do that, recognize that this practice continues to this day to be a **major** source of security exploits. To understand why, view this classic XKCD cartoon:
 
 ![https://xkcd.com/327](exploits_of_a_mom_2x.png)
 
-For the purposes of this problem you may assume that at some point the school's system performs the query
+To interpret the above, you may assume that at some point the school's system performs the query
 
 ```         
 SELECT *
     FROM Students
-    WHERE (name = '%s' AND year = 2024);
+    WHERE (name = '%s' AND ...);
 ```
 
-where a student's name, as input by a user of the system, is directly substituted for the `%s`. Explain exactly how Little Bobby Tables' "name" can cause a catastrophe. Also, explain why his name has two dashes (`--`) at the end.
+where a student's name, as input by a user of the system, is directly substituted for the `%s`.
+
+## Part 1
+
+Explain exactly how Little Bobby Tables' "name" can cause a catastrophe. Explain why his name has two hyphens (`--`) at the end.
+
+## Part 2
+
+Suppose instead the school system executed the query
+
+```         
+SELECT *
+    FROM Students WHERE name = '%s';
+```
+
+What "name" would Little Bobby Tables use to destroy things in that case?
+
+**Credit: 15 points**
 
 ## Bonus problem!
 

modules/week06/hw-06-2.qmd

@@ -2,6 +2,8 @@
 title: "Week 6 - Characterizing egg variation"
 ---
 
+**Please use Canvas to return the assignments: <https://ucsb.instructure.com/courses/26293/assignments/361506>**
+
 You read [Egg Dimensions and Neonatal Mass of Shorebirds](https://www.jstor.org/stable/1367334) by Robert E. Ricklefs and want to see how the egg data we've been using in class compares to his results. Specifically, Ricklefs reported, "Coefficients of variation were 4 to 9% for egg volume" for shorebird eggs gathered in Manitoba, Canada. What is the range of coefficients of variation in our ASDN dataset?
 
 The "coefficient of variation," or CV, is a unitless measure of the variation of a sample, defined as the standard deviation divided by the mean and multiplied by 100 to express as a percentage. Thus, a CV of 10% means the standard deviation is 10% of the mean value. For the purposes of this computation, we will copy Ricklefs and use as a proxy for egg volume the formula
@@ -72,6 +74,8 @@ Pluvialis dominica 19.88%
 Pluvialis squatarola 6.94%
 ```
 
+**Credit: 55 points**
+
 # Appendix
 
 It's not necessary to use `pd.read_sql` to get data into a dataframe, it's just a convenience. To do so manually (and to show you it's not that hard), imagine that your query returns three columns. Collect the row data into three separate lists, then manually create a dataframe specifying the contents as a dictionary:

modules/week06/hw-06-3.qmd

@@ -2,6 +2,8 @@
 title: "Week 6 - Who were the winners?"
 ---
 
+**Please use Canvas to return the assignments: <https://ucsb.instructure.com/courses/26293/assignments/361508>**
+
 At the conclusion of the ASDN project the PIs decided to hand out first, second, and third prizes to the observers who measured the most eggs. Who won? Please use R and dbplyr to answer this question, and please submit your R code. Your code should print out:
 
 ```         
@@ -22,3 +24,5 @@ egg_table <- tbl(conn, "Bird_eggs")
 and then use tidyverse grouping, summarization, joining, and other functions to compute the desired result.
 
 Also, take your final expression and pipe it into `show_query()`. If you used multiple R statements, did dbplyr create a temporary table, or did it manage to do everything in one query? Did it limit to the first three rows using an R expression or an SQL LIMIT clause?
+
+**Credit: 30 points**