Comment by coldtea
13 hours ago
It's not about if it can happen or if it happens.
It's about how easily it's mitigated completely. Use a proper db library which does escaping and it's completely eliminated.
13 hours ago
It's not about if it can happen or if it happens.
It's about how easily it's mitigated completely. Use a proper db library which does escaping and it's completely eliminated.
Nit: modern DB libraries use wire protocols where SQL injection is mitigated by modeling parameters; it’s not just assembled to one big SQL statement and escaped.
Agree with your point though. There will come a time when properly designed LLM apps are not vulnerable, and there will still be poorly designed apps that are.
> There will come a time when properly designed LLM apps are not vulnerable, and there will still be poorly designed apps that are.
Whether it’s possible to properly secure an LLM (and retain its utility) seems to be heavily disputed, in this thread and elsewhere.