Intent-Code Divergence
Medium
- Confidence
- 95% confidence
- Finding
- The document explicitly claims the looping syntax is 'naturally immune to SQL injection' because values are safely escaped, but elsewhere it describes raw value substitution into SQL fragments such as quoted placeholders, LIKE patterns, IN lists, and block snippets without proving prepared-statement semantics. This can mislead users into trusting unsafe templating patterns and increases the chance that untrusted input reaches generated SQL in exploitable ways.
