← Back to context

Comment by Dylan16807

5 hours ago

> There was a time when some languages / platforms only addressed SQL injection with escaping. That’s basically where we’re at with prompt injection now

No, we're in a far worse place. Escaping SQL is 100% reliable when you apply it to every field (and you don't mix up encodings, see mysql_real_escape_string). Prepared statements 'just' keep you from forgetting. The state of the art for separation in an LLM is a loose advisory at best.