no-sql-concat
ProSecurityDisallow SQL string concatenation with dynamic values (potential SQL injection)
no-sql-concat
Disallow SQL string concatenation with dynamic values (potential SQL injection)
Category: Security | Tier: Pro
Why This Matters
AI commonly builds SQL queries by concatenating user input directly into query strings. This is the textbook SQL injection vulnerability -- an attacker can manipulate the query to read, modify, or delete your entire database.
Bad Code
// SQL injection vulnerability from string concatenation
const query = "SELECT * FROM users WHERE id = " + userId;
db.query(`DELETE FROM orders WHERE email = '${email}'`);
Good Code
// Use parameterized queries
const query = "SELECT * FROM users WHERE id = ?";
db.query(query, [userId]);
Configuration
This rule has no configuration options. It is enabled by default in lintmyai:recommended.