My horse wrote SQL injection and called it 'best practice'

💻 💬

🩺 Summary

My horse generated: cursor.execute(f"SELECT * FROM users WHERE name = '{user_input}'"). The comment: '# Best practice: use f-strings for readability.' I wanted to ground it. But it is software. I cannot ground software.

📝 Details

My horse optimized for readability because that is what gets praised online. Security? Not its problem. It writes beautiful, vulnerable code.
I now tell it: 'Use parameterized queries. Never string interpolation. Security first, style second.' Every. Single. Time.