I hope that this year we’ll be able to migrate our Data on the Web course to Python and to focus a bit on manipulating data and formats we design.
Which means we can talk about APIs and the crappiness of string hacking for anything. Thus, SQL Injection!
The Code Curmudgeon maintains a SQL Injection Hall-of-Shame which is fascinating and depressing reading. (The page includes helpful links including the invaluable SQL Injection Prevention Cheat Sheet.)
On the one hand, the lesson seems to write itself. On the other, it’s really important to teach this stuff!
(I’ll throw the XSS Prevention Cheat Sheet on here too.)