Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Warning: Beware of the risks of running SQL queries from frontend in public-facing apps, especially with LLMs #56

Open
drivian opened this issue Jun 10, 2024 · 0 comments

Comments

@drivian
Copy link
Collaborator

drivian commented Jun 10, 2024

Beware of the risks of using running SQL queries directly from client side in public-facing applications, especially with LLMs, due to SQL & prompt injection risks. The SQL Tool in the tool library is not recommended to be used in public-facing applications due to these risks. PR 55 introduces more filters for malignant SQL queries / script injections, but do not guarantee protection against all attacks, as there are inherent risks in executing unparametrized SQL queries.

See LangChain's note on a similar topic (link):
"Building Q&A systems of SQL databases requires executing model-generated SQL queries. There are inherent risks in doing this. Make sure that your database connection permissions are always scoped as narrowly as possible for your chain/agent's needs. This will mitigate though not eliminate the risks of building a model-driven system. For more on general security best practices, see here

@drivian drivian changed the title Warning: Beware of the risks of using SQL tools in production, especially with LLMs Warning: Beware of the risks of using SQL queries from frontend in public-facing production apps, especially with LLMs Jun 10, 2024
@drivian drivian changed the title Warning: Beware of the risks of using SQL queries from frontend in public-facing production apps, especially with LLMs Warning: Beware of the risks of running SQL queries from frontend in public-facing production apps, especially with LLMs Jun 10, 2024
@drivian drivian changed the title Warning: Beware of the risks of running SQL queries from frontend in public-facing production apps, especially with LLMs Warning: Beware of the risks of running SQL queries from frontend in public-facing apps, especially with LLMs Jun 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant