How a SQL injection bug passed 3 rounds of code review (and how AI caught it instantly)

It was a Friday afternoon. The sprint was ending. Everyone wanted to go home. A pull request came in for a new user lookup feature. Three senior developers reviewed it. All three approved it. It shipped to production that evening. Two weeks later a security audit flagged it. SQL injection. A textbook one. The kind that every developer learns about in their first week. Here's the code that passed three rounds of review: async function getUserById ( userId ) { const query = " SELECT * FROM users WHERE id = " + userId const result = await db . execute ( query ) return result . rows [ 0 ] } Three experienced developers looked at this. Nobody caught it. Why Humans Miss These Before explaining how AI caught it instantly, it's worth understanding why three smart developers missed something so fundamental. Review fatigue is real. That PR was the 14th one reviewed that Friday. By the time a developer reaches their 10th PR of the day their brain is actively looking for shortcuts. They scan for t