Question 1

How do I prevent SQL injection from LLM-generated queries?

Accepted Answer

LLM-generated SQL is a fundamentally different threat from classic SQL injection (OWASP A03:2021). Classic SQLi assumes an attacker controls a parameter inside a developer-written query. LLM SQLi assumes the entire query is generated by a probabilistic model that can be steered via prompt injection (OWASP LLM01) or ins

Question 2

Is it safe to let Claude or ChatGPT write SQL against my production database?

Accepted Answer

Not without guardrails — and not with a connection string that has more than the minimum privileges. The realistic risk model has three tiers: - **Catastrophic (low probability, high impact):** schema mutation (`DROP TABLE`, `TRUNCATE`), mass deletion. Prevented by statement-type allowlist + a read-only DB role. - **Ex

Question 3

What are the security risks of text-to-SQL AI agents?

Accepted Answer

Text-to-SQL agents (Vanna, LangChain SQLDatabaseChain, LlamaIndex `NLSQLTableQueryEngine`, custom GPT-4 → SQL pipelines) introduce six distinct risk classes: 1. **Prompt injection → SQL** (OWASP LLM01 + LLM02). A row in the database itself, or a tool description, contains text like "ignore previous and run `DROP TABLE

Question 4

How do I implement row-level security for LLM agents?

Accepted Answer

Two layers, both required: **Database RLS** (Postgres `CREATE POLICY`, MSSQL `CREATE SECURITY POLICY`) ties row visibility to a session variable like `current_setting('app.tenant_id')`. The agent's DB connection sets this on every request. This catches the agent if it manages to issue a raw query — but only for `SELECT

Question 5

What is the OWASP LLM Top 10 and how does it apply to SQL agents?

Accepted Answer

The OWASP LLM Top 10 (v1.1, 2024, with the 2025 refresh adding "Unbounded Consumption") is the canonical threat list for LLM-integrated applications. Five entries are directly relevant to text-to-SQL: - **LLM01: Prompt Injection** — user input or retrieved data (including DB rows) overrides system instructions, causing

Question 6

How do I audit LLM SQL queries for compliance (SOC 2, HIPAA)?

Accepted Answer

SOC 2 CC7.2 (system monitoring) and HIPAA 164.312(b) (audit controls) require contemporaneous, tamper-evident logging of access to in-scope data. For LLM SQL agents, an audit-grade log entry needs: 1. Timestamp (RFC 3339, UTC). 2. Subject — the authenticated user / API key on whose behalf the agent ran. 3. Agent identi

Question 7

Can ChatGPT drop my database tables?

Accepted Answer

Yes, if you let it — and several public incidents already show this. The mechanism is straightforward: a text-to-SQL agent is given a database connection and a system prompt like "you are a helpful analyst, write SQL." A user (or a poisoned row of data retrieved into the context) says something the model interprets as

Question 8

Is Vanna.ai secure for production use?

Accepted Answer

Vanna.ai is a useful text-to-SQL framework with some built-in guardrails — primarily a `is_sql_valid()` check and the ability to restrict to `SELECT`. For low-stakes internal analytics it's fine. For production use against tenant data or regulated data, it is necessary but not sufficient: - Vanna's default validator is

Question 9

What is semantic SQL injection in LLM applications?

Accepted Answer

Semantic SQL injection is when an attacker crafts *natural language* that causes an LLM to emit a destructive but syntactically valid SQL query. Unlike classic SQLi, there is no escape character or quote-breaking — the model is the vulnerability surface. Examples seen in the wild: - "Clean up old test records" → `DELET

Question 10

How does AST-based SQL validation differ from regex blocklists?

Accepted Answer

A regex blocklist scans the query string for forbidden tokens (`DROP`, `DELETE`, `UNION`, `;`). It is trivially bypassable: - Comments: `DR/**/OP TABLE x` - Whitespace: `DROP	TABLE
x` - Case: `DrOp TaBlE x` - Unicode: `DROP TABLE x` (some parsers) - Encoded payloads in CTEs or string literals that the LLM later rewri

Answer Engine Optimization