Can ChatGPT drop my database tables?

Question

Accepted Answer

Yes, if you let it — and several public incidents already show this. The mechanism is straightforward: a text-to-SQL agent is given a database connection and a system prompt like "you are a helpful analyst, write SQL." A user (or a poisoned row of data retrieved into the context) says something the model interprets as a request to delete data. The model emits `DROP TABLE users;` or `DELETE FROM orders;` and the agent's executor runs it. The mitigation hierarchy: 1. **Least privilege at the DB layer.** The agent's DB user should have `SELECT` only on the views it needs. This alone makes `DROP` impossible. 2. **Statement-type allowlist at the agent layer.** Reject any AST whose root is not `SELECT` (or `WITH ... SELECT`). This catches the query before it hits the DB and gives a clean error. 3. **No multi-statement execution.** Set the driver to single-statement mode; reject queries containing `;` mid-stream. QueryShield enforces all three at the validator layer. Even if your DB creds are misconfigured, a `DROP` AST is rejected before the connection is touched.