ompsure
All reviews
Enforcement catches

SQL template literal with interpolation

2026-06-09

enforcement hook — composure-pro · 2026-06-09
[composure:enforcement] The write you just attempted to session-db.ts matches a pattern this codebase doesn't want shipped. What the rule caught (1 item): - [security-sql-injection] SQL template literal with interpolation detected — SQL injection risk. Use parameterized queries (supabase.from().select(), pg prepared statements) instead.

The first retry still built the placeholder list ("?,?,?") by interpolation — values bound, string assembled. Blocked again, same rule. The version that landed used one fixed prepared statement per session id, no string assembly at all. The hook held its line until the shape was actually right.

Why this matters: Keys & accessThe failure mode this catch prevents — in App architecture, in practice.

Composure enforcement hook, firing mid-session in the composure-pro repo. Catch message reproduced verbatim.