Never Build Database Queries with String Concatenation

// ❌ Direct interpolation — classic SQL injection vector
export async function getUser(name: string) {
  const result = await prisma.$queryRaw`
    SELECT * FROM users WHERE name = '${name}'
  `
  return result
}
 
// ❌ String concatenation in query builder
export async function searchProducts(term: string) {
  const query = `SELECT * FROM products WHERE name LIKE '%${term}%'`
  const result = await db.execute(query)
  return result
}

// ✅ Prisma tagged template (auto-parameterized)
export async function getUser(name: string) {
  const result = await prisma.$queryRaw(
    Prisma.sql`SELECT * FROM users WHERE name = ${name}`
  )
  return result
}
 
// ✅ Better: use the ORM's query builder
export async function getUser(name: string) {
  return prisma.user.findFirst({
    where: { name },
  })
}
 
// ✅ Drizzle parameterized query
export async function searchProducts(term: string) {
  return db
    .select()
    .from(products)
    .where(like(products.name, `%${term}%`))
}

// ❌ String interpolation in Supabase RPC
const { data } = await supabase.rpc('search_users', {
  query: `%${userInput}%`  // Could be safe depending on the function, but risky pattern
})
 
// ✅ Use Supabase query builder
const { data } = await supabase
  .from('users')
  .select('*')
  .ilike('name', `%${userInput}%`)  // Properly parameterized by the SDK

# Find potential SQL injection patterns
grep -rn '\$queryRaw`' src/ --include="*.ts" --include="*.tsx" | grep '\${'
grep -rn "execute(" src/ --include="*.ts" | grep -E "(\+|concat|\`)"
grep -rn "query(" src/ --include="*.ts" | grep -E "(\+|concat|\`)"