TL;DR
Parameterized queries separate SQL code from data, making injection impossible. These prompts help you convert string concatenation patterns to prepared statements in JavaScript, Python, PHP, and other languages. Use your database library's parameterization syntax.
JavaScript/Node.js Parameterization
Convert these Node.js database queries to use parameterization.
Database library: pg/mysql2/better-sqlite3
Find all queries using string concatenation or template literals:
- `SELECT * FROM users WHERE id = ${id}`
- "SELECT * FROM posts WHERE title = '" + title + "'"
- query("DELETE FROM items WHERE id = " + req.params.id)
Convert each to:
- Parameterized syntax for my specific library
- Show the values array passed separately
- Keep the same query logic, just make it safe
Library-specific examples needed:
- pg: $1, $2 placeholders with values array
- mysql2: ? placeholders
- better-sqlite3: ? or named
Python Parameterization
Convert Python database queries to parameterized statements.
Library: psycopg2/mysql-connector/sqlite3/SQLAlchemy
Find unsafe patterns:
- f"SELECT * FROM users WHERE email = '{email}'"
- "SELECT * FROM posts WHERE id = %s" % post_id
- cursor.execute("DELETE FROM items WHERE id = " + str(item_id))
Convert to proper parameterization:
- psycopg2: %s placeholders with tuple
- sqlite3: ? placeholders with tuple
- SQLAlchemy: Use text() with
params or ORM methods
For each conversion, show:
- The unsafe original
- The safe parameterized version
- Why the original was vulnerable
ORM Query Safety
Find and fix unsafe raw queries within my ORM code.
ORM: Prisma/Sequelize/TypeORM/Django ORM/SQLAlchemy
Even with an ORM, I might have unsafe patterns:
- Raw query methods with string interpolation
- Bypassing the ORM for complex queries
- Using .extra() or raw() incorrectly
For each issue found:
- Convert to use ORM's safe raw query syntax
- Or rewrite using the ORM's query builder
- Show both options when possible
Examples to check:
- Prisma: $queryRaw with template strings (safe) vs concatenation (unsafe)
- Sequelize: sequelize.query() with replacements
- TypeORM: Raw() with parameters
- Django: .raw() and .extra() usage
Template literals aren't always safe: In Prisma, $queryRaw with tagged template literals is safe, but $queryRawUnsafe with string concatenation is not. Know the difference in your ORM.
Bulk Operations
Help me parameterize bulk database operations safely.
Scenarios:
- INSERT multiple rows at once
- UPDATE with dynamic WHERE IN clause
- DELETE multiple items by ID list
Current unsafe approach:
- Building VALUES string: "('" + values.join("'),('") + "')"
- Building IN clause: "WHERE id IN (" + ids.join(",") + ")"
Convert to safe versions:
- Use proper multi-row INSERT syntax with parameters
- Use array parameters for IN clauses where supported
- Generate correct number of placeholders dynamically
Show solutions for:
- PostgreSQL (ANY($1) syntax)
- MySQL (multiple ? placeholders)
- Generic approach for any database
Pro tip: For IN clauses with many items, some databases support array parameters (PostgreSQL's ANY) which are cleaner than generating multiple placeholders.
Can I parameterize table or column names?
No. Parameters only work for values, not identifiers. For dynamic table/column names, use a whitelist approach where you map user input to predefined allowed names.
Is there a performance difference with parameterized queries?
Parameterized queries can actually be faster because the database can cache the query plan and reuse it. The difference is usually negligible either way.
Find Unparameterized Queries
Scan your codebase for SQL injection vulnerabilities automatically.
Start Free Scan