{
    "slug": "ai_code_generation",
    "term": "AI-Assisted Code Generation",
    "category": "ai_ml",
    "difficulty": "intermediate",
    "short": "Using LLMs to generate, complete, or refactor code — powerful for boilerplate and exploration but requiring review for correctness, security, and licence compliance.",
    "long": "AI code generation tools (GitHub Copilot, Claude, Cursor) accelerate development by generating boilerplate, suggesting completions, explaining unfamiliar code, and drafting tests. Limitations: generated code can be subtly wrong (especially edge cases), may introduce security vulnerabilities (SQL injection, hardcoded secrets), may use deprecated APIs, and may include GPL-licensed code without attribution. Best practice: treat AI output as a first draft needing review, run static analysis and security scanning on generated code, and never commit without understanding what it does.",
    "aliases": [
        "Copilot",
        "AI coding",
        "code completion",
        "LLM code generation"
    ],
    "tags": [
        "ai",
        "tooling",
        "security",
        "quality"
    ],
    "misconception": "AI-generated code is production-ready because it looks correct — LLMs generate plausible-looking code optimised for the happy path; edge cases, error handling, and security are commonly missing or wrong.",
    "why_it_matters": "Developers who trust AI-generated code without review introduce vulnerabilities at scale — AI tools can generate SQL injection vulnerabilities, insecure random number usage, and incorrect business logic that passes casual inspection.",
    "common_mistakes": [
        "Committing AI-generated code without reading it — generated code must be understood before committing.",
        "Using AI for security-critical code without expert review — auth, crypto, and input handling require extra scrutiny.",
        "Not running static analysis on generated code — PHPStan catches many AI generation mistakes.",
        "Assuming generated tests are meaningful — AI often generates tests that pass without asserting behaviour."
    ],
    "when_to_use": [
        "Generating boilerplate, scaffolding, and repetitive CRUD code where the pattern is well-understood and review is fast.",
        "Exploring unfamiliar APIs or languages — AI output is a starting point for learning, not production-ready code.",
        "Writing test cases and documentation where correctness is easy to verify and the cost of a mistake is low."
    ],
    "avoid_when": [
        "Do not merge AI-generated code that touches authentication, cryptography, or payment flows without expert security review.",
        "Avoid using AI generation as a substitute for understanding the code — generated code you cannot explain is a liability.",
        "Do not generate code against proprietary internal APIs or data schemas that could expose secrets via the prompt."
    ],
    "related": [
        "ai_security_concerns",
        "static_analysis",
        "ai_in_php",
        "shift_left_testing"
    ],
    "prerequisites": [
        "large_language_models",
        "static_analysis",
        "security_by_design"
    ],
    "refs": [
        "https://github.blog/ai-and-ml/generative-ai/how-to-use-github-copilot-in-your-ide-tips-tricks-and-best-practices/"
    ],
    "bad_code": "// AI-generated code with subtle SQL injection:\n// Prompt: write a PHP function to search users by name\nfunction searchUsers(string $name): array {\n    global $pdo;\n    // AI forgot to use prepared statements:\n    return $pdo->query(\"SELECT * FROM users WHERE name LIKE '%$name%'\")->fetchAll();\n    // Attacker input: %' UNION SELECT * FROM passwords --\n}",
    "good_code": "// Reviewed and corrected:\nfunction searchUsers(string $name): array {\n    // After review: use prepared statement:\n    $stmt = $this->pdo->prepare(\n        'SELECT id, name, email FROM users WHERE name LIKE ?'\n    );\n    $stmt->execute(['%' . $name . '%']);\n    return $stmt->fetchAll(PDO::FETCH_ASSOC);\n    // Also: limit columns, not SELECT *\n}\n// Run PHPStan after generation to catch type errors\n// Run SAST scanner to catch security issues",
    "example_note": "The bad example shows an AI-generated search function with a raw string interpolation SQL injection; the fix adds the prepared statement the prompt omitted to specify.",
    "quick_fix": "Always run PHPStan and your test suite on AI-generated code before committing — AI generates plausible-looking code that may have subtle security flaws or incorrect logic",
    "severity": "high",
    "effort": "medium",
    "created": "2026-03-16",
    "updated": "2026-03-31",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/ai_code_generation",
        "html_url": "https://codeclaritylab.com/glossary/ai_code_generation",
        "json_url": "https://codeclaritylab.com/glossary/ai_code_generation.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[AI-Assisted Code Generation](https://codeclaritylab.com/glossary/ai_code_generation) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/ai_code_generation"
            }
        }
    }
}