TL;DR AI editors generate SQL queries with template literals -- directly injectable, CWE-89 This pattern shows up in ~40% of vibe-coded backends with any database layer Fix: parameterized queries everywhere, no exceptions I was reviewing a friend's side project last week. Node.js API, React frontend, Postgres. Clean architecture, good folder structure. Then I looked at the query layer. Every single database call was built with template literals. Not one parameterized query in the whole codebase. I ran sqlmap against the search endpoint in about 30 seconds and had a full database dump. This wasn't my friend's oversight. Cursor wrote those queries. And it keeps writing them that way. Pattern 1: The Classic Template Literal You ask Cursor for a search endpoint. It gives you this: // CWE-89 -- SQL injection via template literal app . get ( ' /api/users ' , async ( req , res ) => { const { name } = req . query ; const users = await db . query ( `SELECT * FROM users WHERE name = ' ${ name } '` ); res .…