rulesSource-backedReview first Safety ✓ Privacy ✓
AI-Generated SQL Injection Review Rules
Source-backed rules for reviewing AI-generated database access code for SQL injection before merge, covering parameterized queries, identifier handling, ORM safety, dynamic query construction, least-privilege access, and privacy-safe test evidence.
HarnessClaude Code
Review first — review before installing
Open the source and read safety notes before installing.
Safety notes
- SQL injection lets an attacker read, modify, or destroy data and sometimes execute commands, so a single concatenated query on user input can compromise the whole database.
- AI assistants often produce plausible queries that concatenate input or use a raw escape hatch on an otherwise safe ORM, which passes simple tests but is injectable.
- Running injection-style test inputs against a production database can corrupt or expose real data, so exercise them only in a sandbox with least-privilege credentials.
Privacy notes
- Database code and its test cases can reference real schemas, credentials, connection strings, and personal data when copied from production examples.
- Do not paste real connection strings, credentials, or production query results into public PR comments; use synthetic schemas and data.
- Be careful with error messages that echo SQL or row data, since verbose database errors can leak schema and personal information.
Prerequisites
- A pull request, diff, or snippet containing AI-generated or AI-edited database access code with enough context to know which values come from user input.
- Knowledge of the database driver, ORM, or query builder in use, since parameterization syntax and safe APIs differ between them.
- A non-production database or sandbox where injection-style inputs can be exercised without touching real data.
- Permission to block merge when user input reaches SQL without parameterization or when identifiers are taken from input without an allow-list.
Schema details
- Install type
- copy
- Troubleshooting
- Yes
Collection metadata
- Estimated setup
- 20 minutes
- Difficulty
- intermediate
Full copyable content
You are reviewing AI-generated database access code for SQL injection.
Rules:
1. Require parameterized queries or prepared statements for all user-influenced
values; never concatenate or interpolate input into SQL text.
2. Treat identifiers (table, column, sort, direction) as un-parameterizable;
validate them against a fixed allow-list instead of inserting input.
3. Verify ORM and query-builder usage stays on safe APIs, and scrutinize any
raw-query or string-fragment escape hatch for injected input.
4. Reject dynamic query construction that builds SQL from untrusted strings,
including LIKE patterns, IN lists, and JSON or full-text fragments.
5. Enforce least privilege on the database account so an injection cannot read
or write beyond the feature's needs.
6. Test with valid, malformed, and injection-style inputs, and keep test data
free of real credentials or personal data.About this resource
Purpose
Use these rules when an AI coding assistant writes or edits database access code. The goal is to stop a generated query from shipping a SQL injection just because it returns the right rows in a quick test, since injectable code often looks correct on valid input.
This is a review policy, not a database tutorial. It tells reviewers what must be true about generated query construction, identifier handling, and privileges before the change is safe to merge.
Review Inputs
Collect enough context to know which values are untrusted and how they reach SQL.
- Input provenance. Which values in the query come from request input, headers, files, or other untrusted sources.
- Construction style. Whether the code uses parameterized queries, an ORM, a query builder, or string concatenation to build SQL.
- Identifier use. Whether any table, column, sort field, or direction is chosen from user input rather than a fixed set.
- Escape hatches. Whether the change uses a raw-query, raw-fragment, or string-format API on an otherwise safe ORM.
- Privileges. What the database account can do, and whether it exceeds what the feature needs.
If the change cannot say which values are untrusted and how the query is built, require that context before reviewing the SQL text.
Parameterization Rules
- Use parameterized queries or prepared statements for every user-influenced value; bind parameters instead of building SQL strings.
- Never concatenate or interpolate untrusted input into SQL text, including through format strings or template literals.
- Pass values as bound parameters even when they look numeric or constrained; do not rely on type assumptions for safety.
- For IN lists, generate one placeholder per value and bind each, rather than joining input into a single string.
- Build LIKE patterns from bound parameters and escape wildcard characters rather than concatenating user input.
Identifier And Dynamic SQL Rules
Identifiers cannot be bound as parameters, so they need a different defense.
- Validate table, column, sort, and direction inputs against a fixed allow-list and map to known-safe identifiers.
- Do not insert user input as an identifier even when quoted; quoting is not a substitute for an allow-list.
- Keep dynamic query construction minimal and centralized so it can be reviewed and tested in one place.
- Reject building SQL from untrusted JSON, full-text, or expression fragments without strict validation.
- Prefer query builders that parameterize automatically over hand-built dynamic SQL.
ORM And Privilege Rules
- Keep ORM and query-builder usage on safe, parameterizing APIs, and flag any raw-query or raw-fragment escape hatch for close review.
- Verify that a raw query passed through an ORM still binds parameters and does not interpolate input.
- Enforce least privilege on the database account so an injection cannot reach tables or operations beyond the feature.
- Avoid running application queries as a superuser or schema owner.
- Keep verbose database errors out of responses so a failed injection attempt does not leak schema details.
Merge Blockers
Block merge until resolved when:
- user-influenced input is concatenated or interpolated into SQL instead of bound as a parameter;
- a table, column, sort, or direction comes from user input without an allow-list;
- an ORM raw-query or raw-fragment escape hatch carries untrusted input;
- dynamic SQL is built from untrusted JSON, expression, or full-text fragments without strict validation;
- the database account has privileges far beyond what the feature requires;
- test evidence uses real credentials, connection strings, or personal data instead of synthetic samples.
Review Checklist
- {"task": "Input mapped", "description": "The review identifies which query values are untrusted and how they reach SQL"}
- {"task": "Parameterized", "description": "User-influenced values are bound as parameters, never concatenated into SQL"}
- {"task": "Identifiers allow-listed", "description": "Table, column, sort, and direction inputs are validated against a fixed set"}
- {"task": "Escape hatches safe", "description": "ORM raw queries and fragments still bind parameters and avoid interpolation"}
- {"task": "Least privilege", "description": "The database account cannot reach beyond what the feature needs"}
- {"task": "Privacy safe", "description": "Test data avoids real credentials, connection strings, and personal data"}
AI Review Rules
AI assistants can write and review database code, but they should show evidence.
- Ask the assistant to mark every user-influenced value in the query before judging safety.
- Require it to flag string concatenation and raw escape hatches explicitly, not only confirm the happy path.
- Have the assistant provide injection-style test inputs alongside valid ones.
- Do not let the assistant claim an ORM is safe without checking for raw-query usage.
- Re-run review after any change to query construction, identifiers, or raw fragments.
Troubleshooting
- Input is concatenated into SQL: switch to bound parameters or prepared statements for every untrusted value.
- A sort or column comes from input: map it through a fixed allow-list to a known-safe identifier.
- An ORM raw query takes input: bind parameters in the raw call or move back to the safe ORM API.
- An IN list joins user values: generate one placeholder per value and bind each one.
- Errors leak schema: return generic errors and keep verbose database messages server-side only.
Duplicate And History Check
Checked existing rules, hooks, statuslines, guides, collections, skills, open PRs, and closed PRs for SQL injection, parameterized queries, database security, input validation, and AI-generated code review.
Adjacent content includes general security-audit and database-migration rules, but no entry is a portable pre-merge review policy specifically for SQL injection in AI-generated database code. This entry is distinct because it decides what must be true about generated query construction, identifier handling, and privileges before the change can merge.
No prior closed PR for this rule was found during the duplicate/history check.
Construction Reference
The construction styles below map to their injection risk and the safe direction a reviewer should require.
| Construction style | Injection risk | Safe direction |
|---|---|---|
| String concatenation of input | High | Replace with bound parameters |
| Format string / template literal | High | Replace with bound parameters |
| Identifier from user input | High | Allow-list and map to a fixed set |
| ORM raw query with input | Medium-High | Bind parameters or use the safe ORM API |
| Parameterized / prepared statement | Low | Keep; verify all values are bound |
Bound parameters keep data separate from SQL code, and an allow-list keeps untrusted input out of identifier positions, which together remove the most common SQL injection paths in generated code.
Sources
- OWASP SQL Injection: https://owasp.org/www-community/attacks/SQL_Injection
- OWASP SQL Injection Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
- OWASP Query Parameterization Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html
- CWE-89 SQL Injection: https://cwe.mitre.org/data/definitions/89.html
- PortSwigger Web Security Academy — SQL injection: https://portswigger.net/web-security/sql-injection
Source citations
Add this badge to your README
Show that AI-Generated SQL Injection Review Rules is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/rules/ai-generated-sql-injection-review-rules)How it compares
AI-Generated SQL Injection Review Rules side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
| Field | Source-backed rules for reviewing AI-generated database access code for SQL injection before merge, covering parameterized queries, identifier handling, ORM safety, dynamic query construction, least-privilege access, and privacy-safe test evidence. Open dossier | Source-backed rules for reviewing AI-generated regular expressions before merge, covering catastrophic backtracking and ReDoS risk, input bounds, anchor and escaping correctness, validation versus parsing, safe engines, and privacy-safe test evidence. Open dossier | Configure Claude as a security expert for vulnerability assessment, penetration testing, and security best practices Open dossier | Security-first React component architect with XSS prevention, CSP integration, input sanitization, and OWASP Top 10 mitigation patterns Open dossier |
|---|---|---|---|---|
| Trust | ||||
| Install risk | Review first | Review first | Review first | Review first |
| Notes | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ |
| Brand | — | — | — | — |
| Category | rules | rules | rules | rules |
| Source | source-backed | source-backed | source-backed | source-backed |
| Author | jaso0n0818 | jaso0n0818 | JSONbored | JSONbored |
| Added | 2026-06-19 | 2026-06-19 | 2025-09-15 | 2025-10-16 |
| Platforms | Claude Code | Claude Code | Claude Code | Claude Code |
| Source repo | — | — | — | — |
| Safety notes | ✓SQL injection lets an attacker read, modify, or destroy data and sometimes execute commands, so a single concatenated query on user input can compromise the whole database. AI assistants often produce plausible queries that concatenate input or use a raw escape hatch on an otherwise safe ORM, which passes simple tests but is injectable. Running injection-style test inputs against a production database can corrupt or expose real data, so exercise them only in a sandbox with least-privilege credentials. | ✓A vulnerable regular expression on untrusted input can hang a request thread or worker through catastrophic backtracking, causing a regular-expression denial of service that takes down availability. AI assistants often produce plausible-looking patterns with nested quantifiers or broad `.*` spans that pass simple cases but degrade to exponential time on crafted input. Running an unfamiliar pattern against large or adversarial input without a length bound or timeout can stall the reviewing process itself, so test in a sandbox with bounded input. | ✓Only assess, scan, or test systems you own or are explicitly authorized to test; unauthorized penetration testing or exploitation is illegal. Treat any active scanning, exploitation, or DAST tooling as potentially destructive; run it against staging or scoped targets, never production without written authorization. Vulnerability findings and exploit details are sensitive; handle and disclose them responsibly rather than committing live exploits or unredacted reports. | ✓Recommendations may include shell commands, package installs, or file edits; review and run any suggested changes yourself instead of applying them unverified. |
| Privacy notes | ✓Database code and its test cases can reference real schemas, credentials, connection strings, and personal data when copied from production examples. Do not paste real connection strings, credentials, or production query results into public PR comments; use synthetic schemas and data. Be careful with error messages that echo SQL or row data, since verbose database errors can leak schema and personal information. | ✓Regex test cases and match captures can contain emails, tokens, credentials, identifiers, or other personal data when the pattern targets real-world formats. Do not paste production log lines, real secrets, or customer identifiers into public PR comments as regex test evidence; use synthetic samples. Be careful with patterns that capture and log matched groups, since they can copy sensitive substrings into logs or error messages. | ✓Security review reads source code, configuration, environment files, and logs that can contain secrets, API keys, tokens, credentials, and PII. Do not paste discovered secrets, customer data, or internal log contents into shared chats, issues, or public notes; redact before reporting. Scanned outputs and incident artifacts may carry user data subject to GDPR/CCPA; store and transmit them only through approved, access-controlled channels. | ✓Guides Claude to read your repository files plus any code, logs, configuration, or credentials you share in the session; nothing is transmitted beyond the model, but review what you expose before sharing. |
| Prerequisites |
|
| — none listed | — none listed |
| Install | — | — | — | — |
| Config | — | — | — | — |
| Citations | ||||
| Claim | Unclaimed | Unclaimed | Unclaimed | Unclaimed |
Featured in
Signals
Loading live community signals…
More like this, weekly
A short, calm digest of reviewed Claude resources. Unsubscribe any time.