⚠️

When AI Gets It Wrong

Common AI coding mistakes and how to spot them

AI coding assistants are powerful but imperfect. They make predictable mistakes. Here are the patterns to watch for so you can catch issues before they become bugs.

Made-Up APIs & Functions

🎭 Hallucinated Methods High frequency

AI confidently uses functions that don't exist, especially for newer libraries or less common APIs.

AI writes

const result = await fetch.json(url);  // ❌ Not a thing
array.unique();  // ❌ Doesn't exist in JS
string.contains('text');  // ❌ It's .includes()

How to catch it: If a method looks unfamiliar, check the docs. AI often invents plausible-sounding methods that don't exist.

📅 Outdated Syntax Medium frequency

AI training data includes old code. It might suggest deprecated patterns or old API versions.

AI writes

componentWillMount() { }  // ❌ Deprecated in React
new Buffer('data')  // ❌ Deprecated, use Buffer.from()
request.get(url)  // ❌ request package is deprecated

How to catch it: If you see deprecation warnings, or the pattern looks different from current docs, it's probably outdated.

Logic Errors

🔄 Off-by-One Errors High frequency

Classic programming mistake that AI makes frequently, especially in loops and array operations.

AI writes

for (let i = 0; i <= arr.length; i++)  // ❌ Should be <
arr.slice(0, arr.length - 1)  // Sometimes wrong depending on intent

How to catch it: Always trace through loop boundaries manually. Test with arrays of length 0, 1, and 2.

🔀 Async/Await Mistakes High frequency

AI often forgets await, uses it incorrectly, or creates race conditions.

AI writes

// Forgot await
const data = fetchData();  // ❌ Returns Promise, not data

// Sequential when could be parallel
const a = await getA();
const b = await getB();  // ❌ Could use Promise.all

// forEach doesn't wait
arr.forEach(async (item) => {  // ❌ Doesn't wait for completion
  await process(item);
});

How to catch it: If data is undefined or a Promise object, check for missing await. Console.log suspected values.

📝 Incorrect Type Coercion Medium frequency

AI sometimes ignores JavaScript's quirky type coercion rules.

AI writes

if (value == null)  // Might not catch undefined how you expect
if (arr.length)  // Truthy check, but 0 is falsy
const num = parseInt(input)  // Missing radix, or NaN not handled

How to catch it: Use === instead of ==. Explicitly check for NaN. Be suspicious of implicit type conversions.

Security Issues

💉 Injection Vulnerabilities High frequency

AI frequently generates code vulnerable to SQL injection, XSS, and command injection.

AI writes

// SQL injection
db.query(`SELECT * FROM users WHERE id = ${userId}`)  // ❌

// XSS
element.innerHTML = userInput  // ❌

// Command injection
exec(`rm ${filename}`)  // ❌

How to catch it: Any time user input goes into a query, command, or HTML, it's a red flag. Use parameterized queries, sanitize HTML, escape shell args.

🔑 Insecure Defaults Medium frequency

AI often uses insecure-but-simple options for demos that shouldn't go to production.

AI writes

cors({ origin: '*' })  // ❌ Too permissive
jwt.sign(data, 'secret')  // ❌ Weak secret
http.createServer()  // ❌ Should be https

How to catch it: Review security-related code extra carefully. Assume AI defaults are demo-quality, not production-quality.

The Pattern to Remember

🧠 AI Is Confidently Wrong

AI doesn't say "I'm not sure" or "this might not work." It presents everything with equal confidence. The more obscure or complex the task, the more likely it's wrong—but it won't tell you that.

Your job: Be the skeptic. Test everything. Check docs for anything unfamiliar. The confidence of AI output is not correlated with its correctness.