Why this matters
The bug. DELETE FROM session_activity; deletes every row. The author meant to scope it to expired sessions, but copy-pasted only half of the previous statement.
The fix. Constrain by either the foreign-key relationship or the same expires_at predicate.
Defense in depth. Most production teams require WHERE on DELETE/UPDATE via a SQL linter or by enabling safe_updates in MySQL. PostgreSQL doesn't have a native equivalent — you need pg_safeupdate or review discipline.
Review heuristic
Read every schema definition asking: what's the smallest set of values this field actually means? If the schema admits more than that — wrong types, out-of-range numbers, extra unknown fields — the validation is leaky.
External reference: CWE-20: Improper Input Validation.
↳ GitLab's 2017 production database wipe; CWE-862.