TL;DR AI editors love string interpolation for SQL. That is exactly how injection gets in. The bug is invisible in code review because the query "reads" correctly.
Source: [Dev.to](https://dev.to/c_k_fb750e731394/sql-injection-in-ai-generated-code-why-cursor-keeps-writing-it-580i)