Perhaps we can have multiple databases, each of which demonstrate a different "level" of security. E.g. for SQL injection, one could have none at all, the next could include just some basic escaping of certain SQL commands, one could use stored procedures instead, etc.

That way, we can demonstrate the differences between each technique, along with pros and cons, so junior DBAs can see exactly what each one provides and examples for implementation.