CodeReview·AI3 free · BYOK unlimited

Code reviewed in seconds

Paste any code snippet. AI catches bugs, security holes, and performance issues — with fix suggestions. No account needed.

See it in action

Paste code → structured review in seconds

AI spots bugs, security holes, and performance issues — with fix suggestions.

fetchUserData.js

async function fetchUserData(userId) {
  const query = "SELECT * FROM users WHERE id = " + userId;
  const result = await db.query(query);

  const password = result[0].password;
  console.log("User password:", password);

  return {
    id: result[0].id,
    name: result[0].name,
    email: result[0].email,
    password: password
  };
}

async function updateUser(userId, data) {
  await db.query(`UPDATE users SET ${JSON.stringify(data)} WHERE id=${userId}`);
  return true;
}

review.mdAI review

## Code Review

### Summary
This code has **critical security vulnerabilities** that must be fixed before production use. Two SQL injection attack vectors, sensitive data exposure, and missing error handling were identified.

---

### Issues Found

#### 🔴 Critical

**SQL Injection — `fetchUserData`**
String concatenation builds SQL queries directly from user input. An attacker can pass `1 OR 1=1` as `userId` to dump the entire users table.
```diff
- const query = "SELECT * FROM users WHERE id = " + userId;
+ const query = "SELECT id, name, email FROM users WHERE id = ?";
+ const result = awai…

Language

Focus areas

Code to review

0 / 20 000 chars

3 free reviews remaining