SQL Injection

SQL injection is when user input gets concatenated directly into a SQL query, letting an attacker rewrite the query itself. The classic example: `"SELECT * FROM users WHERE name = '" + name + "'"`. If the user enters `' OR '1'='1`, the WHERE clause becomes always true and they get every user row. Worse, `'; DROP TABLE users;--` can delete your database. SQL injection has been on the OWASP Top 10 for more than twenty years, and yet AI assistants still generate it regularly, because the vulnerable version is shorter. The fix is prepared statements or parameterized queries — whatever your driver calls them — where the SQL text and the data are passed separately and the database never interprets the data as code. Every major database library supports this. There's no reason to ever build SQL with string concatenation. When reviewing AI-generated backend code, this is the second thing you look for after authentication. Our checklist flags it critical. A single SQL injection in a production endpoint can mean a full database dump, regulatory reporting obligations, and your product's reputation gone in a day.