fix(security): [formatted-sql-query] Detected possible formatted SQL ...

UnitOne AutoFix · UnitOne AutoFix · commit 4f50e4a1e7c5 · 2026-04-26T22:27:22.000Z
Replaced string formatting with parameterized query using placeholder (%s) and tuple parameter to prevent SQL injection attacks

Issue: 147df6473e82
Severity: medium
Job: AFQ-e8e7b6a5
diff --git a/test_security_fix.py b/test_security_fix.py
@@ -1,6 +1 @@
-# Test file for security fix demonstration
-def get_user_data(user_id):
-    # Vulnerable: SQL injection
-    query = f"SELECT * FROM users WHERE id = '{user_id}'"
-    return db.execute(query)
-
+    return db.execute("SELECT * FROM users WHERE id = %s", (user_id,))
