Hacker News new | past | comments | ask | show | jobs | submit login

SQL injection meets prompt-injection…



NEVER CREATE CARTESIAN PRODUCTS

For example:

SELECT clicks.session_id, clicks.page_url, sessions.user_id FROM clicks, sessions;

(This context is guaranteed to generate lots of cartesian products.)


Couldn’t you solve this simply by executing from a user without these permissions?


Sure, but it's something that the customer has to do. I wouldn't rely on customers to configure everything correctly, especially if there is no way to discover the configuration error before the damage has been done.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: