SQL Injection Prevention Agent Skill
SQL injection prevention — parameterized queries, ORM safety, dynamic query guards.
The Skill
Full content, every format. Copy it, download it, or install with one command.
---
description: SQL injection prevention — parameterized queries, ORM safety, dynamic query guards.
homepage: https://yepapi.com/skills/sql-injection
metadata:
tags: [security, sql, injection, database]
---
# SQL Injection Prevention
## Rules
- ALWAYS use parameterized queries — never string-concatenate user input into SQL
- ORMs (Prisma, Drizzle) are safe by default — use their query builders, not raw SQL
- When raw SQL is unavoidable, use the ORM's parameterized raw query method
- Validate column names for dynamic `ORDER BY` against an allowlist — parameterization cannot protect identifiers
- Use least-privilege database users: your app should not connect as `root` or `postgres`
- Log and alert on SQL errors that suggest injection attempts (syntax errors from user input)
\`\`\`ts
// Parameterized query — SAFE
const user = await db.query("SELECT * FROM users WHERE id = $1", [userId]);
// Prisma — SAFE by default
const user = await prisma.user.findUnique({ where: { id: userId } });
// Drizzle — SAFE by default
const user = await db.select().from(users).where(eq(users.id, userId));
// Prisma raw query — SAFE (parameterized)
const users = await prisma.$queryRaw\`SELECT * FROM users WHERE email = ${email}\`;
\`\`\`
\`\`\`ts
// Dynamic ORDER BY — validate against allowlist
const ALLOWED_COLUMNS = ["name", "created_at", "email"] as const;
function safeOrderBy(column: string) {
if (!ALLOWED_COLUMNS.includes(column as any)) {
throw new Error("Invalid sort column");
}
return column;
}
\`\`\`
## Avoid
- `db.query("SELECT * FROM users WHERE id = " + userId)` — classic injection
- Template literals in SQL: \`\` \`SELECT * FROM users WHERE name = '${name}'\` \`\` — still injection
- Trusting ORM `.raw()` methods with string concatenation — raw means raw
- Dynamic table or column names from user input without strict allowlist validationInstall
Why Use the SQL Injection Prevention Skill?
Without this skill, your AI guesses at sql injection prevention patterns. It might hallucinate deprecated APIs, use outdated conventions, or miss best practices entirely. With it, your AI follows a proven ruleset — every suggestion aligns with current standards.
Drop this skill into your project and your AI instantly knows the rules. Better code suggestions, fewer errors, faster shipping.
Try These Prompts
These prompts work better with the SQL Injection Prevention skill installed. Your AI knows the context and writes code that fits.
"Refactor my raw SQL queries to use parameterized queries to prevent injection"
"Add a safe dynamic ORDER BY helper that validates column names against an allowlist"
"Audit my codebase for SQL injection vulnerabilities and fix them"
SQL Injection Prevention skill — FAQ
It provides rules for parameterized queries, safe ORM usage, dynamic ORDER BY validation, and least-privilege database connections. Your AI writes SQL that is immune to injection attacks.
Run `npx skills add YepAPI/skills --skill sql-injection` in your project root. This copies the skill file into your repo where your AI coding tool can read it automatically.
Yes, Prisma and Drizzle query builders are safe by default because they use parameterized queries. However, their raw SQL methods (like $queryRaw) can still be vulnerable if you string-concatenate user input.