Glossary/

SQL Injection via LLM Output

SQL injection via LLM occurs when an AI agent uses LLM-generated text directly in SQL queries without sanitization. The LLM output — which may be influenced by prompt injection or simply hallucinate — is interpolated into SQL statements, creating a classic injection vector with AI characteristics.

CRITICAL SeverityLLM02: Insecure Output Handling

LLM Output in SQL Query

Vulnerable
python
# LLM generates the WHERE clause - dangerous!
user_query = "Show me all users from New York"
llm_response = llm.complete(f"Convert to SQL: {user_query}")
# LLM might output: name = 'x' OR 1=1; DROP TABLE users; --

cursor.execute(f"SELECT * FROM users WHERE {llm_response}")
Secure
python
# Parameterized query with validated columns
ALLOWED_COLUMNS = {"name", "city", "email"}
parsed = parse_llm_filter(llm_response)

if parsed.column not in ALLOWED_COLUMNS:
    raise ValueError(f"Invalid column: {parsed.column}")

cursor.execute(
    "SELECT * FROM users WHERE %s = %s",
    (parsed.column, parsed.value)
)

Frequently Asked Questions

How does SQL injection happen through LLM output?

When an AI agent generates SQL queries by interpolating LLM output into query strings (e.g., f"SELECT * FROM {table} WHERE {condition}"), the LLM output can contain malicious SQL. This happens through prompt injection (attacker influences LLM output) or LLM hallucination (model generates unexpected SQL fragments).

How is SQL injection via LLM different from traditional SQL injection?

Traditional SQL injection comes from user input going directly to SQL. LLM-based SQL injection adds an intermediary — the LLM processes user input and generates output that then reaches SQL queries. This makes it harder to detect because the injection path goes through an LLM call.

How do you prevent SQL injection in AI agents?

Use parameterized queries, never interpolate LLM output into SQL strings, validate LLM-generated SQL against an allowlist of safe patterns, and implement read-only database connections for agent queries.

How Inkog Detects This

Inkog traces data flow from LLM call outputs to database query functions. It identifies patterns where LLM-generated text is interpolated into SQL strings, including f-string interpolation, string concatenation, and format() calls that reach cursor.execute() or ORM raw queries.

bash
npx -y @inkog-io/cli scan .

Related Terms

Prompt Injection PreventionOutput ValidationAgent Authorization

Scan for SQL Injection

Scan your AI agents for vulnerabilities. Free for developers.

Start Free Scan