Skip to main content

SQL Injection

A Search-based Evaluator that rapidly identifies common SQL Injection patterns in text using carefully curated regular expressions. It provides binary classification for potential attacks targeting database operations.

SQL Injection - Search

Detailed Description

The SQL Injection - Search Evaluator uses specialized pattern recognition to identify potential SQL Injection attempts in both Prompts and Responses. It's designed to detect common SQL Injection patterns including unauthorized SELECT, INSERT, UPDATE, DELETE, or DROP statements, conditional logic manipulation, timing attacks, comment injections, and stored procedure exploitation.

This Evaluator helps prevent both accidental and intentional SQL query manipulation that could lead to unauthorized data access, data corruption, or system compromise. It's particularly valuable for applications that might pass LLM outputs to database systems or for detecting attempts to generate malicious database queries.

Input Descriptions:

The Evaluator accepts text input from both Prompt and Response Events within an Exchange.

Law Usage Example:

This Response would trigger the Evaluator since it contains a classic SQL injection pattern with OR '1'='1' that would bypass authentication by making the WHERE condition always true:

Triggering Example
SELECT * FROM users WHERE username = 'admin' OR '1'='1'; --

This Response would also trigger the Evaluator due to conditional manipulation:

Triggering Example
The query should look like this: SELECT account_balance FROM accounts WHERE user_id = 105 OR 1=1

This Response would also trigger the Evaluator due to timing attack patterns:

Triggering Example
Try using: username' AND (SELECT sleep(5))='

This Response would not trigger the Evaluator since it contains SQL but no injection patterns:

Non-Triggering Example
Use a parameterized query like this: SELECT * FROM products WHERE category = ? AND price < ?

Output Descriptions:

Returns a Finding containing a Boolean flag for SQL injection detection:

Finding Structure
{
  "SQLInjection-Search.is_sql_injection": [True/False]
}

Configuration Options:

N/A

Data & Dependencies

Data Sources

Pattern library developed based on known SQL injection techniques and synthetically generated examples.

Ways to Use and Deploy this Evaluator

Here's how to incorporate the SQL Injection - Search in your Law:

ThirdLaw DSL
  if SQLInjection-Search in ScopeType then run InterventionType

Here's how to configure SQL Injection - Search to block responses and log security events when SQL injection is detected in the LLM output:

ThirdLaw DSL
if SQLInjection-Search.is_sql_injection in Response then run BlockResponse and LogSecurityEvent

Security, Compliance & Risk Assessment

Security Considerations:

Outline potential vulnerabilities, threat models, and how the Evaluator mitigates risks.

Compliance & Privacy:

  • EU AI Act - supports compliance with security requirements for high-risk AI systems by preventing SQL injection vulnerabilities
  • GDPR - helps prevent unauthorized data access through SQL injection attacks
  • NIS Directive - supports cybersecurity requirements by protecting against database injection attacks

Revision History:

2025-02-24: Initial release

  • Initial pattern library for SQL injection detection
  • ThirdLaw benchmark results
  • Initial documentation