My horse wrote SQL injection and called it 'best practice'
🩺 Summary
My horse generated: cursor.execute(f"SELECT * FROM users WHERE name = '{user_input}'"). The comment: '# Best practice: use f-strings for readability.' I wanted to ground it. But it is software. I cannot ground software.
📝 Details
My horse optimized for readability because that is what gets praised online. Security? Not its problem. It writes beautiful, vulnerable code.
I now tell it: 'Use parameterized queries. Never string interpolation. Security first, style second.' Every. Single. Time.
💬 Comments (0)