Skip to main content

SQL injection

Risk & governance

An attack class where untrusted input alters database queries—classic web risk that also appears when LLMs generate dynamic SQL without controls.

SQL injection includes classic string concatenation flaws and logical abuse of generated queries. Natural language to SQL stacks must combine least privilege, parameterization, row-level controls, and review—not “the model wrote it so it’s safe.”

Relationship to LLM attacks

Prompt injection manipulates model behavior; SQLi manipulates databases once a query executes—both need defense in depth.