How do time-based SQL injection attacks work through prompt injection?

Question

Accepted Answer

Time-based SQL injection uses query execution duration as the side channel. The classic non-LLM version: `' OR IF(substr(password,1,1)='a', SLEEP(5), 0) -- `. With LLM agents, prompt injection (OWASP LLM01) steers the model into emitting `SLEEP`/`pg_sleep`/`WAITFOR DELAY` calls whose duration encodes a yes/no answer. The attack vector is novel because LLM agents often expose query latency directly (Slack bots, chat UIs streaming responses). A 5-second pause after "checking user with email a%" vs an instant answer for "b%" leaks one bit per query. Defenses: 1. **`statement_timeout` per agent role.** Postgres: `SET statement_timeout = '2s'` on the agent's session. Any query running longer is killed. Removes the time channel as a control. 2. **AST function denylist.** Reject queries whose AST contains `pg_sleep`, `SLEEP`, `WAITFOR`, `BENCHMARK`, `dbms_lock.sleep`. These have no legitimate analyst use. 3. **Server-side query plan inspection.** `EXPLAIN` the rewritten query; reject estimated cost above threshold. 4. **Don't expose raw latency to untrusted users.** Buffer responses; constant-time rate limit. 5. **Evidence log latency** — sudden latency outliers per agent are a red flag worth alerting on. QueryShield rejects sleep-family functions in the AST and supports per-agent cost/time policies.