SQL Injection Anti-Pattern

Severity: Critical

Summary

Attackers execute arbitrary SQL commands by manipulating user input. String concatenation in queries (frequently AI-generated from insecure training data) enables database compromise, data exfiltration, authentication bypass, and remote code execution.

The Anti-Pattern

The anti-pattern is concatenating user data into SQL statements, allowing attackers to break query structure and inject malicious SQL.

BAD Code Example

# VULNERABLE: String concatenation creates injection vector.
import sqlite3

def get_user(db_connection, username):