Critical

Fix SQL Injection Vulnerabilities with AI Prompts

January 2026AI Fix Prompts
Share

TL;DR

SQL injection is one of the most critical vulnerabilities. These prompts help you find unsafe database queries and convert them to parameterized statements. Never concatenate user input into SQL strings. Always use prepared statements or an ORM.

Find SQL Injection Vulnerabilities

Scan for SQL Injection

Scan this codebase for SQL injection vulnerabilities.

Look for:

  1. String concatenation in SQL queries
  2. Template literals with user input in SQL
  3. Raw query methods with unescaped variables
  4. Dynamic table/column names from user input
  5. ORDER BY with user-controlled direction

For each vulnerability found:

  1. Show the vulnerable code
  2. Explain how it could be exploited
  3. Provide the safe, parameterized version

Check all database interactions regardless of ORM/library used.

Fix Vulnerable Queries

Raw SQL to Parameterized

Convert to Parameterized

Convert these vulnerable SQL queries to parameterized statements.

Language: JavaScript/Python/other Database: PostgreSQL/MySQL/SQLite

Vulnerable patterns to fix:

  • SELECT * FROM users WHERE id = ${userId}
  • query("SELECT * FROM posts WHERE title LIKE '%" + search + "%'")
  • f-strings or format() with SQL in Python

Show:

  1. The vulnerable code (before)
  2. The safe parameterized code (after)
  3. Explanation of why the original was vulnerable

Use the appropriate parameterization for my database library.

ORM-Specific Fixes

Fix ORM Raw Queries

Fix SQL injection in raw queries within my ORM.

ORM: Prisma/Sequelize/TypeORM/SQLAlchemy/Drizzle

I have raw queries that bypass the ORM's protections. Fix them:

  1. Use the ORM's parameterized raw query syntax
  2. Or convert to use the ORM's query builder
  3. Show both options when possible

Examples of patterns to fix:

  • Prisma: $queryRaw with string concatenation
  • Sequelize: sequelize.query() with variables
  • TypeORM: query() or createQueryBuilder().where() with raw strings

Prefer using the ORM's built-in methods over raw queries.

SQL injection can destroy your database: An attacker could DROP all tables, steal all data, or modify records. Always use parameterized queries. There is no safe way to concatenate user input into SQL.

Dynamic Queries

Safe Dynamic Queries

Help me build dynamic queries safely.

Scenarios:

  1. Dynamic WHERE clauses based on filter options
  2. Dynamic ORDER BY from user selection
  3. Optional search terms
  4. Pagination with limit/offset

Requirements:

  • Never put user input directly in SQL
  • Whitelist allowed column names for ORDER BY
  • Use parameterized values for all data
  • Build queries dynamically but safely

Show how to do this with:

  1. A query builder pattern
  2. My ORM's native methods (Prisma/Drizzle/etc)

Pro tip: Use an ORM and its query builder whenever possible. ORMs parameterize queries automatically. Only use raw SQL when absolutely necessary, and always use parameterization.

Is escaping user input good enough?

No. Escaping can miss edge cases and is error-prone. Parameterized queries separate SQL logic from data, making injection impossible. Always use parameterized queries.

Can I use user input for table or column names?

Not directly. You must whitelist allowed values and map user input to the whitelist. Never dynamically construct table/column names from raw user input.

Related Articles

Parameterize Queries

Query parameterization guide

Database Input Validation

Validate before querying

Find SQL Injection Vulnerabilities

Scan your codebase automatically for unsafe database queries.

Start Free Scan
AI Fix Prompts

Fix SQL Injection Vulnerabilities with AI Prompts