sql-injection-anti-pattern

Security anti-pattern for SQL Injection vulnerabilities (CWE-89). Use when generating or reviewing code that constructs database queries, builds SQL statements, or handles user input in database operations. Detects string concatenation in queries and recommends parameterized queries.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "sql-injection-anti-pattern" with this command: npx skills add igbuend/grimbard/igbuend-grimbard-sql-injection-anti-pattern

SQL Injection Anti-Pattern

Severity: Critical

Summary

Attackers execute arbitrary SQL commands by manipulating user input. String concatenation in queries (frequently AI-generated from insecure training data) enables database compromise, data exfiltration, authentication bypass, and remote code execution.

The Anti-Pattern

The anti-pattern is concatenating user data into SQL statements, allowing attackers to break query structure and inject malicious SQL.

BAD Code Example

# VULNERABLE: String concatenation creates injection vector.
import sqlite3

def get_user(db_connection, username):
    # User input concatenated directly into query.
    query = "SELECT * FROM users WHERE username = '" + username + "'"
    cursor = db_connection.cursor()
    cursor.execute(query)
    return cursor.fetchone()

# Attack: username = "admin' OR '1'='1' --"
# Result: "SELECT * FROM users WHERE username = 'admin' OR '1'='1' --'"
# Returns all users, bypassing authentication.

GOOD Code Example

# SECURE: Parameterized queries prevent injection.
import sqlite3

def get_user(db_connection, username):
    # Parameters sent separately and escaped by database driver.
    # Malicious input cannot alter query logic.
    query = "SELECT * FROM users WHERE username = ?"
    cursor = db_connection.cursor()
    cursor.execute(query, (username,))
    return cursor.fetchone()

# Named parameters (preferred for clarity):
# query = "SELECT * FROM users WHERE username = :username"
# cursor.execute(query, {"username": username})

Detection

  • Look for string concatenation (+, ||, concat(), f-strings, template literals) used to build SQL queries.
  • Search for calls to execute(), query(), or raw() that take a single string variable which may contain user input.
  • Check for the use of .format(), %s, or ${} within SQL query strings.
  • Review any code that dynamically constructs SQL based on user input without proper parameterization.

Prevention

  • Use parameterized queries: Always use prepared statements for all database operations.
  • Never concatenate user input: Avoid direct string concatenation in SQL.
  • Use ORM libraries: Tools with built-in SQL injection protection (SQLAlchemy, Django ORM, Hibernate).
  • Apply least privilege: Database accounts should have minimal necessary permissions.
  • Validate input as defense-in-depth: Not primary defense, but supplements parameterization.

Related Security Patterns & Anti-Patterns

References

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

missing-security-headers-anti-pattern

No summary provided by upstream source.

Repository SourceNeeds Review
4-igbuend
Security

content-security-policy

No summary provided by upstream source.

Repository SourceNeeds Review
3-igbuend
Security

oauth-security-anti-pattern

No summary provided by upstream source.

Repository SourceNeeds Review
3-igbuend
General

tikz

No summary provided by upstream source.

Repository SourceNeeds Review
21-igbuend