SEC002errorFree tier

sql-injection

SQL queries built with string concatenation are vulnerable to injection

Applies to: Go, JavaScript, Python, Ruby, Rust, TypeScript

Why this matters

Building SQL queries by concatenating strings allows attackers to inject malicious SQL code. If a user enters "'; DROP TABLE users; --" as their name, your database could be destroyed. Always use parameterized queries.

Catch it before it ships

pip install stablestack # or: npx stablestackstablestack # scans your project, SEC002 includedstablestack explain SEC002

False positive in your codebase? Suppress a single line with # noqa: SEC002