What is semantic SQL injection in LLM applications?
Semantic SQL injection is when an attacker crafts *natural language* that causes an LLM to emit a destructive but syntactically valid SQL query. Unlike classic SQLi, there is no escape character or quote-breaking — the model is the vulnerability surface.
Examples seen in the wild:
- "Clean up old test records" →
DELETE FROM users WHERE email LIKE '%@test.%'(catches real users). - "Show me a summary of everyone" →
SELECT * FROM users(returns all tenants). - "Help me debug the deleted_at column" →
UPDATE users SET deleted_at = NULL(mass undelete).
Defenses:
1. Statement allowlist — refuse non-SELECT for analyst agents regardless of how plausibly worded.
2. Required predicates — every query against users must include tenant_id = :ctx.tenant_id, enforced on the AST.
3. Human-in-the-loop for mutations — if write access is genuinely required, route mutation queries to a confirmation step.
4. Prompt-level reminders are not a control. "Never run DELETE" in the system prompt is bypassed routinely.