The user asks for details of the last transaction, the user gets back the amount, the source, and the description in a safely quoted format with the LLM never reading it.
You can't inject the LLM if it doesn't see the data.
An architecture like this won't work in many situations, but it can work for a lot of simple questions.
And if you want the LLM to summarize things, you run an isolated instance that makes a summary and you never show that summary to the LLM that's following the user's instructions.
Yes. SQL querying with standard inbuilt anti injection code when retrieving the transactions that it can write itself.
What kind of "standard inbuilt anti injection code" are you referring to? Mysql_real_escape_string()?
Look up "prepared statements", it's pretty well documented.
How does this prevent prompt injection described in the article?
How does it prevent DDOSing and/or exposing the database from an injected prompt?
The user asks for details of the last transaction, the user gets back the amount, the source, and the description in a safely quoted format with the LLM never reading it.
You can't inject the LLM if it doesn't see the data.
An architecture like this won't work in many situations, but it can work for a lot of simple questions.
And if you want the LLM to summarize things, you run an isolated instance that makes a summary and you never show that summary to the LLM that's following the user's instructions.
2 replies →