criticalCWE-89

SQL Injection: Detection & Auto-Fix

SQL injection occurs when untrusted data is sent to a database interpreter as part of a query. An attacker can use SQL injection to manipulate queries, access unauthorized data, modify or delete records, and in some cases execute operating system commands. It is consistently ranked as one of the most dangerous vulnerabilities in the OWASP Top 10 and is the leading cause of data breaches in web applications.

Why AI tools generate this vulnerability

AI Risk Factor

AI assistants frequently generate SQL queries using string concatenation or template literals instead of parameterized queries. When prompted to "query the database for a user by email," tools like Copilot and Cursor will often produce code like `query("SELECT * FROM users WHERE email = '" + email + "'")` instead of using prepared statements. This happens because AI models are trained on vast codebases that include legacy code, tutorials with shortcuts, and examples that prioritize readability over security. In benchmarks, over 30% of AI-generated database queries contain SQL injection vulnerabilities.

Vulnerable code example

VULNERABLE

// JavaScript — AI-generated vulnerable code
app.get("/api/users", async (req, res) => {
  const { email } = req.query;

  // VULNERABLE: template literal SQL injection
  const result = await db.query(
    `SELECT * FROM users WHERE email = '${email}'`
  );

  res.json(result.rows);
});

# Python — AI-generated vulnerable code
@app.route("/api/users")
def get_user():
    email = request.args.get("email")

    # VULNERABLE: f-string SQL injection
    cursor.execute(
        f"SELECT * FROM users WHERE email = '{email}'"
    )

    return jsonify(cursor.fetchall())

Secure code example

SECURE

// JavaScript — parameterized query (secure)
app.get("/api/users", async (req, res) => {
  const { email } = req.query;

  // SECURE: parameterized query prevents injection
  const result = await db.query(
    "SELECT * FROM users WHERE email = $1",
    [email]
  );

  res.json(result.rows);
});

# Python — parameterized query (secure)
@app.route("/api/users")
def get_user():
    email = request.args.get("email")

    # SECURE: parameterized query prevents injection
    cursor.execute(
        "SELECT * FROM users WHERE email = %s",
        (email,)
    )

    return jsonify(cursor.fetchall())

How CodeShield detects this

CodeShield uses multi-layer static analysis to detect sql injection vulnerabilities across your entire codebase:

Pattern matching for string concatenation in SQL query functions (db.query, cursor.execute, Statement.execute)

Detection of template literals and f-strings containing SQL keywords (SELECT, INSERT, UPDATE, DELETE)

Analysis of ORM raw query methods (Prisma $queryRaw, Sequelize literal, ActiveRecord find_by_sql)

Taint analysis tracking user input from request parameters to query execution

Framework-specific detection for Express, Django, Flask, Rails, Spring, and Laravel

Affected languages

JavaScript TypeScript Python Java Go Ruby PHP Rust

Scan for sql injection in your repos

CodeShield detects sql injection and 5+ other vulnerability types across your entire codebase. Auto-fix with AI in one click.

Scan Your Repos Free