Will It Vibe logoWill It Vibe?
INJECT-003Medium severity-8 points

SQL built with an f-string (Python)

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

An f-string SQL literal embeds a {value} placeholder instead of passing parameters to the cursor, which is a SQL injection risk when the value is user-controlled.

Why it matters

An f-string SQL literal like f"SELECT ... WHERE id = {uid}" formats the value into the query before the database sees it, so a crafted value can change the query. Passing the value as a parameter closes this completely. This is a heuristic since a trusted constant inside the f-string is a false positive.

How to fix it

Use your driver placeholder and pass the values as the second argument: cursor.execute("SELECT ... WHERE id = %s", (uid,)) for psycopg/mysql, or "?" for sqlite3. Do not build the SQL string with an f-string at all.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks