Can Windsurf generate code with SQL injection flaws?

Windsurf can generate database queries that concatenate user input directly into SQL strings rather than using parameterized queries or prepared statements. This pattern is common in training data from open-source projects and tutorials that prioritize simplicity over security. AI code generators including Windsurf often produce string interpolation patterns like template literals in SQL queries when the prompt does not explicitly request parameterized queries. Even when using ORMs, Windsurf may generate raw query calls that bypass the ORM safety features. UNPWNED tests deployed applications for SQL injection vulnerabilities across all detected endpoints and form fields.