[{"data":1,"prerenderedAt":366},["ShallowReactive",2],{"blog-prompts/fix-sql-injection":3},{"id":4,"title":5,"body":6,"category":345,"date":346,"dateModified":347,"description":348,"draft":349,"extension":350,"faq":351,"featured":349,"headerVariant":352,"image":351,"keywords":351,"meta":353,"navigation":354,"ogDescription":355,"ogTitle":351,"path":356,"readTime":351,"schemaOrg":357,"schemaType":358,"seo":359,"sitemap":360,"stem":361,"tags":362,"twitterCard":364,"__hash__":365},"blog/blog/prompts/fix-sql-injection.md","Fix SQL Injection Vulnerabilities with AI Prompts",{"type":7,"value":8,"toc":332},"minimark",[9,16,21,24,70,74,79,82,136,140,143,186,196,200,203,254,263,279,283,286,307,321],[10,11,12],"tldr",{},[13,14,15],"p",{},"SQL injection is one of the most critical vulnerabilities. These prompts help you find unsafe database queries and convert them to parameterized statements. Never concatenate user input into SQL strings. Always use prepared statements or an ORM.",[17,18,20],"h2",{"id":19},"find-sql-injection-vulnerabilities","Find SQL Injection Vulnerabilities",[13,22,23],{},"Paste this prompt to have your AI scan every database interaction for SQL injection risks. You'll get a report of each vulnerable query with the file location, an exploitation example, and the safe parameterized replacement.",[25,26,28,31,34,53,56,67],"prompt-box",{"title":27},"Scan for SQL Injection",[13,29,30],{},"Scan this codebase for SQL injection vulnerabilities.",[13,32,33],{},"Look for:",[35,36,37,41,44,47,50],"ol",{},[38,39,40],"li",{},"String concatenation in SQL queries",[38,42,43],{},"Template literals with user input in SQL",[38,45,46],{},"Raw query methods with unescaped variables",[38,48,49],{},"Dynamic table/column names from user input",[38,51,52],{},"ORDER BY with user-controlled direction",[13,54,55],{},"For each vulnerability found:",[35,57,58,61,64],{},[38,59,60],{},"Show the vulnerable code",[38,62,63],{},"Explain how it could be exploited",[38,65,66],{},"Provide the safe, parameterized version",[13,68,69],{},"Check all database interactions regardless of ORM/library used.",[17,71,73],{"id":72},"fix-vulnerable-queries","Fix Vulnerable Queries",[75,76,78],"h3",{"id":77},"raw-sql-to-parameterized","Raw SQL to Parameterized",[13,80,81],{},"Copy this prompt to convert string-concatenated SQL queries into parameterized statements. Your AI will show before/after code for each vulnerable query using the correct syntax for your database library.",[25,83,85,88,99,102,119,122,133],{"title":84},"Convert to Parameterized",[13,86,87],{},"Convert these vulnerable SQL queries to parameterized statements.",[13,89,90,91,95,96],{},"Language: ",[92,93,94],"span",{},"JavaScript/Python/other","\nDatabase: ",[92,97,98],{},"PostgreSQL/MySQL/SQLite",[13,100,101],{},"Vulnerable patterns to fix:",[103,104,105,111,116],"ul",{},[38,106,107],{},[108,109,110],"code",{},"SELECT * FROM users WHERE id = ${userId}",[38,112,113],{},[108,114,115],{},"query(\"SELECT * FROM posts WHERE title LIKE '%\" + search + \"%'\")",[38,117,118],{},"f-strings or format() with SQL in Python",[13,120,121],{},"Show:",[35,123,124,127,130],{},[38,125,126],{},"The vulnerable code (before)",[38,128,129],{},"The safe parameterized code (after)",[38,131,132],{},"Explanation of why the original was vulnerable",[13,134,135],{},"Use the appropriate parameterization for my database library.",[75,137,139],{"id":138},"orm-specific-fixes","ORM-Specific Fixes",[13,141,142],{},"Use this prompt to fix raw queries that bypass your ORM's built-in protections. Your AI will convert unsafe raw SQL to the ORM's parameterized syntax or its query builder, with examples for Prisma, Sequelize, TypeORM, and SQLAlchemy.",[25,144,146,149,155,158,169,172,183],{"title":145},"Fix ORM Raw Queries",[13,147,148],{},"Fix SQL injection in raw queries within my ORM.",[13,150,151,152],{},"ORM: ",[92,153,154],{},"Prisma/Sequelize/TypeORM/SQLAlchemy/Drizzle",[13,156,157],{},"I have raw queries that bypass the ORM's protections. Fix them:",[35,159,160,163,166],{},[38,161,162],{},"Use the ORM's parameterized raw query syntax",[38,164,165],{},"Or convert to use the ORM's query builder",[38,167,168],{},"Show both options when possible",[13,170,171],{},"Examples of patterns to fix:",[103,173,174,177,180],{},[38,175,176],{},"Prisma: $queryRaw with string concatenation",[38,178,179],{},"Sequelize: sequelize.query() with variables",[38,181,182],{},"TypeORM: query() or createQueryBuilder().where() with raw strings",[13,184,185],{},"Prefer using the ORM's built-in methods over raw queries.",[187,188,189],"warning-box",{},[13,190,191,195],{},[192,193,194],"strong",{},"SQL injection can destroy your database:"," An attacker could DROP all tables, steal all data, or modify records. Always use parameterized queries. There is no safe way to concatenate user input into SQL.",[17,197,199],{"id":198},"dynamic-queries","Dynamic Queries",[13,201,202],{},"Paste this prompt to build dynamic queries (filters, sorting, pagination) without introducing injection risks. Your AI will generate a query builder pattern with whitelisted column names for ORDER BY and parameterized values for all user-supplied data.",[25,204,206,209,212,226,229,243,246],{"title":205},"Safe Dynamic Queries",[13,207,208],{},"Help me build dynamic queries safely.",[13,210,211],{},"Scenarios:",[35,213,214,217,220,223],{},[38,215,216],{},"Dynamic WHERE clauses based on filter options",[38,218,219],{},"Dynamic ORDER BY from user selection",[38,221,222],{},"Optional search terms",[38,224,225],{},"Pagination with limit/offset",[13,227,228],{},"Requirements:",[103,230,231,234,237,240],{},[38,232,233],{},"Never put user input directly in SQL",[38,235,236],{},"Whitelist allowed column names for ORDER BY",[38,238,239],{},"Use parameterized values for all data",[38,241,242],{},"Build queries dynamically but safely",[13,244,245],{},"Show how to do this with:",[35,247,248,251],{},[38,249,250],{},"A query builder pattern",[38,252,253],{},"My ORM's native methods (Prisma/Drizzle/etc)",[255,256,257],"tip-box",{},[13,258,259,262],{},[192,260,261],{},"Pro tip:"," Use an ORM and its query builder whenever possible. ORMs parameterize queries automatically. Only use raw SQL when absolutely necessary, and always use parameterization.",[264,265,266,273],"faq-section",{},[267,268,270],"faq-item",{"question":269},"Is escaping user input good enough?",[13,271,272],{},"No. Escaping can miss edge cases and is error-prone. Parameterized queries separate SQL logic from data, making injection impossible. Always use parameterized queries.",[267,274,276],{"question":275},"Can I use user input for table or column names?",[13,277,278],{},"Not directly. You must whitelist allowed values and map user input to the whitelist. Never dynamically construct table/column names from raw user input.",[17,280,282],{"id":281},"further-reading","Further Reading",[13,284,285],{},"Want to understand the vulnerability before fixing it? These guides explain what's happening and why.",[103,287,288,295,301],{},[38,289,290],{},[291,292,294],"a",{"href":293},"/blog/vulnerabilities/sql-injection","SQL injection explained",[38,296,297],{},[291,298,300],{"href":299},"/blog/how-to/prevent-sql-injection","How to prevent SQL injection",[38,302,303],{},[291,304,306],{"href":305},"/blog/vulnerabilities/exposed-api-keys","Understanding exposed API keys",[308,309,310,316],"related-articles",{},[311,312],"related-card",{"description":313,"href":314,"title":315},"Query parameterization guide","/blog/prompts/parameterize-queries","Parameterize Queries",[311,317],{"description":318,"href":319,"title":320},"Validate before querying","/blog/prompts/database-input-validation","Database Input Validation",[322,323,326,329],"cta-box",{"href":324,"label":325},"/","Start Free Scan",[17,327,20],{"id":328},"find-sql-injection-vulnerabilities-1",[13,330,331],{},"Scan your codebase automatically for unsafe database queries.",{"title":333,"searchDepth":334,"depth":334,"links":335},"",2,[336,337,342,343,344],{"id":19,"depth":334,"text":20},{"id":72,"depth":334,"text":73,"children":338},[339,341],{"id":77,"depth":340,"text":78},3,{"id":138,"depth":340,"text":139},{"id":198,"depth":334,"text":199},{"id":281,"depth":334,"text":282},{"id":328,"depth":334,"text":20},"prompts","2026-02-20","2026-03-06","AI prompts to find and fix SQL injection vulnerabilities in your code. Convert unsafe queries to parameterized statements and protect your database.",false,"md",null,"cyan",{},true,"AI prompts to fix SQL injection vulnerabilities in your code.","/blog/prompts/fix-sql-injection","[object Object]","BlogPosting",{"title":5,"description":348},{"loc":356},"blog/prompts/fix-sql-injection",[363],"Critical","summary_large_image","LUasBJC1D9XXPwxkvf1UWz08XGdvyDysEglyiTn8SFE",1775843921423]