How does an AI code generator ship Injection?

String interpolation reads beautifully. A model writes 'WHERE name = ' plus the variable, and it looks exactly like every example in its training data. Parameterised queries look clunkier, so they lose the coin flip whenever the prompt does not explicitly mention them. ORMs protect most calls, but the one raw query somebody slipped in for performance is often the one that ships.

How do attackers find Injection bugs?

They type a quote. They type a curly brace. They paste a script tag into the comment box. The error message, the rendered output, or the response time tells them whether anything parsed. From there it is a walk: dump the schema, read the secrets, pivot.

How does Flowpatrol detect Injection?

Flowpatrol crawls every input and sends a curated set of probes — boolean payloads, time-based payloads, template fragments, reflected strings. When the response changes in a way only a parser could cause, we log the confirmation and walk the bug back to the exact parameter and route. You get the payload, the response diff, and the fix.

Injection — A03 in OWASP Top 10 for Web Applications

Everyone knows about SQL injection. Nobody writes it on purpose anymore. So how does it keep shipping? Because the model wrote a perfectly normal-looking search endpoint, and somewhere in the middle of that endpoint there is a template string that should have been a parameter.

Injection happens when user input gets treated as code instead of data. SQL injection is the famous one, but the family is larger: XSS in the browser, template injection in server-rendered views, command injection in a shell call, NoSQL injection in a Mongo filter. They all share a single root cause — data and instructions sharing the same channel.

What your AI actually built

You asked for a search endpoint. The model gave you one: take a query string, filter the users table, return the matches. Works on the happy path. Looks like every tutorial you have ever read.

What it did not do was bind the parameter. The search term gets concatenated into the SQL directly, because string interpolation reads naturally and the model has seen a thousand examples that look identical. The ORM call right next to it uses prepared statements — but this one raw query slipped through.

The same pattern lives one layer up in the frontend, where a comment renders through dangerouslySetInnerHTML. And one layer down in a job runner that passes a filename into exec without quoting. Different syntax, same bug: data treated as code.

How it gets exploited

The attacker finds a search box on the public site. They type a single quote and press enter.

1
Probe the input
A stray quote crashes the endpoint with a Postgres error message. The error leaks the query, which tells them exactly what to inject.
2
Read the schema
A UNION SELECT against information_schema dumps every table and column name. They find users, sessions, and api_keys.
3
Exfiltrate
A second UNION returns email and password_hash pairs. They page through the results 50 rows at a time.
4
Escalate
The api_keys table includes a Stripe live key. That key works. They are now pulling customer data from an unrelated service.

A single-character payload turned a read-only search box into a full database dump and a pivot into a payments provider. The web server logs show five innocuous GETs.

Vulnerable vs Fixed

Vulnerable — query built by string concat

// app/api/search/route.ts
import { sql } from '@/lib/db';

export async function GET(req: Request) {
  const q = new URL(req.url).searchParams.get('q') ?? '';

  const rows = await sql.unsafe(
    "SELECT id, name FROM users WHERE name ILIKE '%" + q + "%'",
  );

  return Response.json(rows);
}

Fixed — parameterised query

// app/api/search/route.ts
import { sql } from '@/lib/db';

export async function GET(req: Request) {
  const q = new URL(req.url).searchParams.get('q') ?? '';

  const rows = await sql`
    SELECT id, name FROM users
    WHERE name ILIKE ${'%' + q + '%'}
  `;

  return Response.json(rows);
}

The tagged template hands the parameter to the driver separately from the query text. The database now treats q as a value, never as SQL. Nothing else about the endpoint changes.

A real case

British Airways lost 380,000 card records to an injected script

Magecart attackers injected 22 lines of JavaScript into a third-party library on the BA checkout page — the same class of bug, moved to the client side.

References

Find every place user input ends up in a query.

Flowpatrol probes every route on your app and confirms each injection finding with a real payload. Five minutes. One URL.

Try it free

What your AI actually built

You asked for a search endpoint. The model gave you one: take a query string, filter the users table, return the matches. Works on the happy path. Looks like every tutorial you have ever read.

How it gets exploited

The attacker finds a search box on the public site. They type a single quote and press enter.

1
Probe the input
A stray quote crashes the endpoint with a Postgres error message. The error leaks the query, which tells them exactly what to inject.
2
Read the schema
A UNION SELECT against information_schema dumps every table and column name. They find users, sessions, and api_keys.
3
Exfiltrate
A second UNION returns email and password_hash pairs. They page through the results 50 rows at a time.
4
Escalate
The api_keys table includes a Stripe live key. That key works. They are now pulling customer data from an unrelated service.

A single-character payload turned a read-only search box into a full database dump and a pivot into a payments provider. The web server logs show five innocuous GETs.

Vulnerable vs Fixed

Vulnerable — query built by string concat

// app/api/search/route.ts
import { sql } from '@/lib/db';

export async function GET(req: Request) {
  const q = new URL(req.url).searchParams.get('q') ?? '';

  const rows = await sql.unsafe(
    "SELECT id, name FROM users WHERE name ILIKE '%" + q + "%'",
  );

  return Response.json(rows);
}

Fixed — parameterised query

// app/api/search/route.ts
import { sql } from '@/lib/db';

export async function GET(req: Request) {
  const q = new URL(req.url).searchParams.get('q') ?? '';

  const rows = await sql`
    SELECT id, name FROM users
    WHERE name ILIKE ${'%' + q + '%'}
  `;

  return Response.json(rows);
}

The tagged template hands the parameter to the driver separately from the query text. The database now treats q as a value, never as SQL. Nothing else about the endpoint changes.

Quote in the input box
Injection

What your AI actually built

How it gets exploited

Vulnerable vs Fixed

A real case

British Airways lost 380,000 card records to an injected script

Related reading

Glossary

What we find

References

Find every place user input ends up in a query.

Quote in the input box
Injection

What your AI actually built

How it gets exploited

Vulnerable vs Fixed

A real case

British Airways lost 380,000 card records to an injected script

Related reading

Glossary

What we find

References

Find every place user input ends up in a query.

Quote in the input boxInjection

What your AI actually built

How it gets exploited

Vulnerable vs Fixed

A real case

British Airways lost 380,000 card records to an injected script

Related reading

Glossary

What we find

References

Find every place user input ends up in a query.

Quote in the input boxInjection

What your AI actually built

How it gets exploited

Vulnerable vs Fixed

A real case

British Airways lost 380,000 card records to an injected script

Related reading

Glossary

What we find

References

Find every place user input ends up in a query.

Quote in the input box
Injection

Quote in the input box
Injection