no-raw-sql
ProSecurityDisallow raw SQL strings; prefer query builders or ORMs
no-raw-sql
Disallow raw SQL strings; prefer query builders or ORMs
Category: Security | Tier: Pro
Why This Matters
AI often writes raw SQL strings instead of using a query builder or ORM. Raw SQL is harder to maintain, lacks type safety, and is more prone to injection vulnerabilities compared to parameterized query builders.
Bad Code
// Raw SQL strings without a query builder
const result = db.query("SELECT * FROM users WHERE active = 1");
Good Code
// Use a query builder or ORM
const result = await db.select().from(users).where(eq(users.active, true));
Configuration
This rule has no configuration options. It is enabled by default in lintmyai:recommended.