SQL injection has been a known vulnerability for over 25 years. Every security course covers it. Every framework provides parameterized queries. And AI assistants are still generating f"SELECT * FROM users WHERE id = {user_id}" in production code.
What we found
We analyzed AI-generated database code across 200 projects and found string concatenation or f-string interpolation in SQL queries in nearly 40% of them. The pattern is remarkably consistent: the AI generates a working query using the most direct approach, which means dropping variables straight into the SQL string.
Sometimes it's obvious: f"DELETE FROM sessions WHERE user_id = '{user_id}'". Sometimes it's subtle: building a WHERE clause dynamically by concatenating conditions from user input.
Why parameterized queries matter
With string concatenation, an attacker can input: ' OR 1=1; DROP TABLE users; --
With parameterized queries, the database treats the entire input as data, not code. The query executes safely regardless of what the user provides.
Every database library supports this: cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,)) in Python, or db.query("SELECT * FROM users WHERE id = $1", [userId]) in Node.js.
What SEC002 catches
SEC002 scans for SQL keywords (SELECT, INSERT, UPDATE, DELETE, etc.) combined with string concatenation, f-strings, template literals, or format() calls. It understands common ORM patterns and won't flag parameterized queries or query builders.
This is one of our free-tier checks because the consequences of missing it are catastrophic. Every StableStack user gets SQL injection detection out of the box.
SEC002 is included in the free tier.
pip install stablestack