SQL Injection in Cursor-Generated Code: What Gets Missed

TL;DR Cursor and most AI editors generate SQL queries with user input interpolated directly into template literals This is CWE-89 SQL injection — parameterized queries fix it completely in about ten seconds Automated SAST catches this before it ships; most AI-generated codebases don't run any I've been reviewing codebases built mostly with Cursor and Claude Code for a few months. The SQL injection pattern keeps showing up. Not the obvious string concatenation from old PHP tutorials. The modern version. Template literals. Ask Cursor to write a basic filter route and it generates something that looks clean, passes all your tests, runs perfectly in development, and doesn't trip any warnings. The problem only surfaces when someone sends a crafted input to a production endpoint. The Vulnerable Pattern (CWE-89) Here's what gets generated for a basic user filter endpoint: app . get ( ' /api/users ' , async ( req , res ) => { const { filter } = req . query ; const result = await db . query ( `