Preventing SQL Injection: Parameterized Queries as a First-Class Skill

TL;DR

SQL injection remains the #1 web vulnerability because AI agents (like humans) still write string-concatenated queries. This skill enforces parameterized query patterns — $queryRaw in Prisma, prepared statements in raw SQL — making injection structurally impossible, not just detectable.

**Bottom line:** Inject this skill into your agent's defaults and watch SQL injection vulnerabilities drop to zero. No runtime scanners needed when the pattern itself is safe.

10-Second Pitch

• **Pattern enforcement** — Teaches $queryRaw tagged templates, not raw string concat
• **Prisma-native** — Works with Prisma ORM's safe query builder
• **Auto-fix suggestions** — When an agent writes a dangerous query, it gets corrected
• **Audit output** — Shows which queries were verified safe vs. flagged
• **Framework-agnostic core** — Safe patterns apply to any SQL database

Setup Directions

Step 1 — Configure Prisma Safe Query Rules

// prisma.safe.js — Add to your Prisma client config

import { PrismaClient } from '@prisma/client';

const prisma = new PrismaClient({

log: ['query', 'error'],

});

// Extend client with safe query helpers

prisma.$safeQuery = (template, ...params) => {

// Enforce parameterized queries only

if (template.includes('\${')) {

throw new Error('Unsafe: Use $queryRaw with tagged template only');

}

return prisma.$queryRaw(template, ...params);

};

Step 2 — Configure the Skill

{

"enforce_parameterized": true,

"allowed_engines": ["prisma", "postgres", "mysql"],

"denylist_patterns": [

"string concatenation with +",

"template literals with user input in \${",

"f-string style injection"

]

}

Pros / Cons

Verdict & Sign-Off

SQL injection is a solved problem — the solution is parameterized queries. The issue is enforcement. This skill makes safe queries the default path for your AI agents, not the exception after a security review.