TL;DR
SQL injection is one of the most critical vulnerabilities. These prompts help you find unsafe database queries and convert them to parameterized statements. Never concatenate user input into SQL strings. Always use prepared statements or an ORM.
Find SQL Injection Vulnerabilities
Paste this prompt to have your AI scan every database interaction for SQL injection risks. You'll get a report of each vulnerable query with the file location, an exploitation example, and the safe parameterized replacement.
Scan for SQL Injection
Scan this codebase for SQL injection vulnerabilities.
Look for:
- String concatenation in SQL queries
- Template literals with user input in SQL
- Raw query methods with unescaped variables
- Dynamic table/column names from user input
- ORDER BY with user-controlled direction
For each vulnerability found:
- Show the vulnerable code
- Explain how it could be exploited
- Provide the safe, parameterized version
Check all database interactions regardless of ORM/library used.
Fix Vulnerable Queries
Raw SQL to Parameterized
Copy this prompt to convert string-concatenated SQL queries into parameterized statements. Your AI will show before/after code for each vulnerable query using the correct syntax for your database library.
Convert to Parameterized
Convert these vulnerable SQL queries to parameterized statements.
Language: JavaScript/Python/other Database: PostgreSQL/MySQL/SQLite
Vulnerable patterns to fix:
SELECT * FROM users WHERE id = ${userId}query("SELECT * FROM posts WHERE title LIKE '%" + search + "%'")- f-strings or format() with SQL in Python
Show:
- The vulnerable code (before)
- The safe parameterized code (after)
- Explanation of why the original was vulnerable
Use the appropriate parameterization for my database library.
ORM-Specific Fixes
Use this prompt to fix raw queries that bypass your ORM's built-in protections. Your AI will convert unsafe raw SQL to the ORM's parameterized syntax or its query builder, with examples for Prisma, Sequelize, TypeORM, and SQLAlchemy.
Fix ORM Raw Queries
Fix SQL injection in raw queries within my ORM.
ORM: Prisma/Sequelize/TypeORM/SQLAlchemy/Drizzle
I have raw queries that bypass the ORM's protections. Fix them:
- Use the ORM's parameterized raw query syntax
- Or convert to use the ORM's query builder
- Show both options when possible
Examples of patterns to fix:
- Prisma: $queryRaw with string concatenation
- Sequelize: sequelize.query() with variables
- TypeORM: query() or createQueryBuilder().where() with raw strings
Prefer using the ORM's built-in methods over raw queries.
SQL injection can destroy your database: An attacker could DROP all tables, steal all data, or modify records. Always use parameterized queries. There is no safe way to concatenate user input into SQL.
Dynamic Queries
Paste this prompt to build dynamic queries (filters, sorting, pagination) without introducing injection risks. Your AI will generate a query builder pattern with whitelisted column names for ORDER BY and parameterized values for all user-supplied data.
Safe Dynamic Queries
Help me build dynamic queries safely.
Scenarios:
- Dynamic WHERE clauses based on filter options
- Dynamic ORDER BY from user selection
- Optional search terms
- Pagination with limit/offset
Requirements:
- Never put user input directly in SQL
- Whitelist allowed column names for ORDER BY
- Use parameterized values for all data
- Build queries dynamically but safely
Show how to do this with:
- A query builder pattern
- My ORM's native methods (Prisma/Drizzle/etc)
Pro tip: Use an ORM and its query builder whenever possible. ORMs parameterize queries automatically. Only use raw SQL when absolutely necessary, and always use parameterization.
Is escaping user input good enough?
No. Escaping can miss edge cases and is error-prone. Parameterized queries separate SQL logic from data, making injection impossible. Always use parameterized queries.
Can I use user input for table or column names?
Not directly. You must whitelist allowed values and map user input to the whitelist. Never dynamically construct table/column names from raw user input.
Further Reading
Want to understand the vulnerability before fixing it? These guides explain what's happening and why.
Find SQL Injection Vulnerabilities
Scan your codebase automatically for unsafe database queries.