TL;DR
AI editors love string interpolation for SQL. That is exactly how injection gets in.
The bug is invisible in code review because the query "reads" correctly.
One change fixes it: parameterized queries. Never build SQL with template literals.
I asked Cursor to write a login endpoint last week. It gave me clean, readable code that worked on the first try. It also handed me a textbook SQL injection hole, and it did it with a straight face.






