5 Things to Check in Your AI-Generated Code Before Launching

You built it with AI. It works. It's fast. Now you're ready to ship.

Before you deploy, here are 5 concrete things to check — patterns that AI coding assistants frequently generate without warning.

1. String Interpolation in SQL Queries

What to look for:

// ❌ Dangerous - AI generates this often
const query = `SELECT * FROM users WHERE id = '${userId}'`;

// ✅ Safe - parameterized query
const query = 'SELECT * FROM users WHERE id = ?';
db.query(query, [userId]);

Why it matters: AI assistants love template literals because they're readable. But when user input flows into SQL strings, you get SQL injection.

How to find it: Search your codebase for:

• `...${...}` patterns near SQL keywords (SELECT, INSERT, UPDATE, WHERE)
• String concatenation with + in database calls

Real finding from a VCX scan:

SEC-SQLI-001 · CRITICAL
src/lib/db.ts · line 42
WHERE email = '${req.body.email}'

2. Hardcoded Secrets and API Keys

What to look for:

// ❌ Exposed in source
const OPENAI_KEY = "sk-proj-abc123...";
const DATABASE_URL = "postgres://user:pass@host/db";

// ✅ Environment variables
const OPENAI_KEY = process.env.OPENAI_API_KEY;
const DATABASE_URL = process.env.DATABASE_URL;

Why it matters: AI often suggests hardcoded values during development for convenience. They work. You forget to remove them. Now your production credentials are in git.

How to find it: Search for:

• apiKey = " or apiKey: "
• secret = " or password = "
• Strings starting with sk-, ghp_, AKIA (AWS keys)
• Database URLs with credentials embedded

3. Missing Authentication Middleware

What to look for:

// ❌ No auth check
app.get('/api/users', async (req, res) => {
  const users = await db.query('SELECT * FROM users');
  res.json(users);
});

// ✅ Protected route
app.get('/api/users', requireAuth, async (req, res) => {
  // Only authenticated users reach here
});

Why it matters: AI generates route handlers that work perfectly — but without auth. You test them, they work. You ship. Suddenly your /api/admin routes are public.

How to find it:

• List all your API routes
• Check each one for middleware or auth checks
• Pay special attention to routes with "admin", "delete", "update", or sensitive data

4. Dangerous eval() and Function() Calls

What to look for:

// ❌ Code injection risk
const result = eval(userInput);
const func = new Function('return ' + userCode);

// ✅ Safe alternatives
const result = JSON.parse(userInput);
// Or use a proper parser/sandbox

Why it matters: AI sometimes suggests eval() for dynamic behavior. It works. It's also a remote code execution vulnerability.

How to find it: Search for:

• eval(
• new Function(
• setTimeout( with string arguments
• setInterval( with string arguments

5. Missing Error Handling That Leaks Stack Traces

What to look for:

// ❌ Exposes internal details
app.get('/api/data', async (req, res) => {
  const data = await fetchData();
  res.json(data);
});

// ✅ Proper error handling
app.get('/api/data', async (req, res) => {
  try {
    const data = await fetchData();
    res.json(data);
  } catch (error) {
    console.error(error);
    res.status(500).json({ error: 'Internal server error' });
  }
});

Why it matters: Unhandled errors crash your app and leak stack traces to users. Those stack traces reveal file paths, library versions, and internal structure.

How to find it: Look for:

• Async routes without try/catch
• Database calls without error handling
• API routes that could fail without response handling

The Faster Way: Run VCX

You could grep your codebase for all of these patterns. Or you could run one command:

vcx scan ./your-repo

VCX checks for all 5 of these issues plus:

• XSS vulnerabilities
• Insecure dependencies
• Performance anti-patterns
• Dead code

Every finding comes with:

• The exact file and line number
• The vulnerable code snippet
• A suggested fix
• A rule ID you can look up

Free tier available — try it now

Summary Checklist

Before you launch that AI-generated app:

• [ ] No string interpolation in SQL queries
• [ ] No hardcoded secrets or API keys
• [ ] All sensitive routes have auth middleware
• [ ] No eval() or new Function() with user input
• [ ] All API routes have proper error handling

Your AI built it. Make sure it's safe to ship.

Scan your codebase free at VCX — takes 2 minutes, no credit card required.