The SQL Injection That Lives in Every AI-Generated Search Endpoint

TL;DR AI copilots generate SQL queries using template literals - that is CWE-89 SQL injection Your database cannot tell the difference between a legit request and an attack Fix is one line: parameterized queries. Your driver handles the rest. A client sent me their Node.js API to review three weeks ago. Express, PostgreSQL, Prisma for most of the data layer. They had built the whole thing in Cursor over about two weeks. Code quality was genuinely good - TypeScript throughout, consistent patterns, proper error handling. The AI had done a solid job structuring it. Then I hit the order search endpoint. The Vulnerable Code (CWE-89) The developer needed a flexible search with multiple optional filters. The AI generated this: app . get ( ' /api/orders/search ' , async ( req , res ) => { const { customer , status , dateFrom } = req . query ; const results = await db . query ( `SELECT * FROM orders WHERE customer_name = ' ${ customer } ' AND status = ' ${ status } ' AND created_at >= ' ${ date