From Prompt Injections to SQL Injection Attacks: How Protected is Your LLM-Integrated Web Application? Article Swipe
Rodrigo Pedro
,
Daniel Castro
,
Paulo Carreira
,
Nuno Santos
·
YOU?
·
· 2023
· Open Access
·
· DOI: https://doi.org/10.48550/arxiv.2308.01990
YOU?
·
· 2023
· Open Access
·
· DOI: https://doi.org/10.48550/arxiv.2308.01990
Large Language Models (LLMs) have found widespread applications in various domains, including web applications, where they facilitate human interaction via chatbots with natural language interfaces. Internally, aided by an LLM-integration middleware such as Langchain, user prompts are translated into SQL queries used by the LLM to provide meaningful responses to users. However, unsanitized user prompts can lead to SQL injection attacks, potentially compromising the security of the database. Despite the growing interest in prompt injection vulnerabilities targeting LLMs, the specific risks of generating SQL injection attacks through prompt injections have not been extensively studied. In this paper, we present a comprehensive examination of prompt-to-SQL (P$_2$SQL) injections targeting web applications based on the Langchain framework. Using Langchain as our case study, we characterize P$_2$SQL injections, exploring their variants and impact on application security through multiple concrete examples. Furthermore, we evaluate 7 state-of-the-art LLMs, demonstrating the pervasiveness of P$_2$SQL attacks across language models. Our findings indicate that LLM-integrated applications based on Langchain are highly susceptible to P$_2$SQL injection attacks, warranting the adoption of robust defenses. To counter these attacks, we propose four effective defense techniques that can be integrated as extensions to the Langchain framework. We validate the defenses through an experimental evaluation with a real-world use case application.
Related Topics
Concepts
SQL injection
SQL
Computer science
Web application
Database
Computer security
World Wide Web
Query by Example
Search engine
Web search query
Metadata
- Type
- preprint
- Language
- en
- Landing Page
- http://arxiv.org/abs/2308.01990
- https://arxiv.org/pdf/2308.01990
- OA Status
- green
- Cited By
- 17
- Related Works
- 10
- OpenAlex ID
- https://openalex.org/W4385682279
All OpenAlex metadata
Raw OpenAlex JSON
- OpenAlex ID
-
https://openalex.org/W4385682279Canonical identifier for this work in OpenAlex
- DOI
-
https://doi.org/10.48550/arxiv.2308.01990Digital Object Identifier
- Title
-
From Prompt Injections to SQL Injection Attacks: How Protected is Your LLM-Integrated Web Application?Work title
- Type
-
preprintOpenAlex work type
- Language
-
enPrimary language
- Publication year
-
2023Year of publication
- Publication date
-
2023-08-03Full publication date if available
- Authors
-
Rodrigo Pedro, Daniel Castro, Paulo Carreira, Nuno SantosList of authors in order
- Landing page
-
https://arxiv.org/abs/2308.01990Publisher landing page
- PDF URL
-
https://arxiv.org/pdf/2308.01990Direct link to full text PDF
- Open access
-
YesWhether a free full text is available
- OA status
-
greenOpen access status per OpenAlex
- OA URL
-
https://arxiv.org/pdf/2308.01990Direct OA link when available
- Concepts
-
SQL injection, SQL, Computer science, Web application, Database, Computer security, World Wide Web, Query by Example, Search engine, Web search queryTop concepts (fields/topics) attached by OpenAlex
- Cited by
-
17Total citation count in OpenAlex
- Citations by year (recent)
-
2025: 8, 2024: 8, 2023: 1Per-year citation counts (last 5 years)
- Related works (count)
-
10Other works algorithmically related by OpenAlex
Full payload
| id | https://openalex.org/W4385682279 |
|---|---|
| doi | https://doi.org/10.48550/arxiv.2308.01990 |
| ids.doi | https://doi.org/10.48550/arxiv.2308.01990 |
| ids.openalex | https://openalex.org/W4385682279 |
| fwci | |
| type | preprint |
| title | From Prompt Injections to SQL Injection Attacks: How Protected is Your LLM-Integrated Web Application? |
| biblio.issue | |
| biblio.volume | |
| biblio.last_page | |
| biblio.first_page | |
| topics[0].id | https://openalex.org/T12479 |
| topics[0].field.id | https://openalex.org/fields/17 |
| topics[0].field.display_name | Computer Science |
| topics[0].score | 0.9980000257492065 |
| topics[0].domain.id | https://openalex.org/domains/3 |
| topics[0].domain.display_name | Physical Sciences |
| topics[0].subfield.id | https://openalex.org/subfields/1710 |
| topics[0].subfield.display_name | Information Systems |
| topics[0].display_name | Web Application Security Vulnerabilities |
| topics[1].id | https://openalex.org/T11424 |
| topics[1].field.id | https://openalex.org/fields/17 |
| topics[1].field.display_name | Computer Science |
| topics[1].score | 0.9444000124931335 |
| topics[1].domain.id | https://openalex.org/domains/3 |
| topics[1].domain.display_name | Physical Sciences |
| topics[1].subfield.id | https://openalex.org/subfields/1702 |
| topics[1].subfield.display_name | Artificial Intelligence |
| topics[1].display_name | Security and Verification in Computing |
| topics[2].id | https://openalex.org/T10927 |
| topics[2].field.id | https://openalex.org/fields/33 |
| topics[2].field.display_name | Social Sciences |
| topics[2].score | 0.9264000058174133 |
| topics[2].domain.id | https://openalex.org/domains/2 |
| topics[2].domain.display_name | Social Sciences |
| topics[2].subfield.id | https://openalex.org/subfields/3312 |
| topics[2].subfield.display_name | Sociology and Political Science |
| topics[2].display_name | Access Control and Trust |
| is_xpac | False |
| apc_list | |
| apc_paid | |
| concepts[0].id | https://openalex.org/C150451098 |
| concepts[0].level | 5 |
| concepts[0].score | 0.9353042840957642 |
| concepts[0].wikidata | https://www.wikidata.org/wiki/Q506059 |
| concepts[0].display_name | SQL injection |
| concepts[1].id | https://openalex.org/C510870499 |
| concepts[1].level | 2 |
| concepts[1].score | 0.7875257730484009 |
| concepts[1].wikidata | https://www.wikidata.org/wiki/Q47607 |
| concepts[1].display_name | SQL |
| concepts[2].id | https://openalex.org/C41008148 |
| concepts[2].level | 0 |
| concepts[2].score | 0.7326108813285828 |
| concepts[2].wikidata | https://www.wikidata.org/wiki/Q21198 |
| concepts[2].display_name | Computer science |
| concepts[3].id | https://openalex.org/C118643609 |
| concepts[3].level | 2 |
| concepts[3].score | 0.5459541082382202 |
| concepts[3].wikidata | https://www.wikidata.org/wiki/Q189210 |
| concepts[3].display_name | Web application |
| concepts[4].id | https://openalex.org/C77088390 |
| concepts[4].level | 1 |
| concepts[4].score | 0.4350772202014923 |
| concepts[4].wikidata | https://www.wikidata.org/wiki/Q8513 |
| concepts[4].display_name | Database |
| concepts[5].id | https://openalex.org/C38652104 |
| concepts[5].level | 1 |
| concepts[5].score | 0.40264463424682617 |
| concepts[5].wikidata | https://www.wikidata.org/wiki/Q3510521 |
| concepts[5].display_name | Computer security |
| concepts[6].id | https://openalex.org/C136764020 |
| concepts[6].level | 1 |
| concepts[6].score | 0.37792736291885376 |
| concepts[6].wikidata | https://www.wikidata.org/wiki/Q466 |
| concepts[6].display_name | World Wide Web |
| concepts[7].id | https://openalex.org/C194222762 |
| concepts[7].level | 4 |
| concepts[7].score | 0.30866992473602295 |
| concepts[7].wikidata | https://www.wikidata.org/wiki/Q114486 |
| concepts[7].display_name | Query by Example |
| concepts[8].id | https://openalex.org/C97854310 |
| concepts[8].level | 2 |
| concepts[8].score | 0.0 |
| concepts[8].wikidata | https://www.wikidata.org/wiki/Q19541 |
| concepts[8].display_name | Search engine |
| concepts[9].id | https://openalex.org/C164120249 |
| concepts[9].level | 3 |
| concepts[9].score | 0.0 |
| concepts[9].wikidata | https://www.wikidata.org/wiki/Q995982 |
| concepts[9].display_name | Web search query |
| keywords[0].id | https://openalex.org/keywords/sql-injection |
| keywords[0].score | 0.9353042840957642 |
| keywords[0].display_name | SQL injection |
| keywords[1].id | https://openalex.org/keywords/sql |
| keywords[1].score | 0.7875257730484009 |
| keywords[1].display_name | SQL |
| keywords[2].id | https://openalex.org/keywords/computer-science |
| keywords[2].score | 0.7326108813285828 |
| keywords[2].display_name | Computer science |
| keywords[3].id | https://openalex.org/keywords/web-application |
| keywords[3].score | 0.5459541082382202 |
| keywords[3].display_name | Web application |
| keywords[4].id | https://openalex.org/keywords/database |
| keywords[4].score | 0.4350772202014923 |
| keywords[4].display_name | Database |
| keywords[5].id | https://openalex.org/keywords/computer-security |
| keywords[5].score | 0.40264463424682617 |
| keywords[5].display_name | Computer security |
| keywords[6].id | https://openalex.org/keywords/world-wide-web |
| keywords[6].score | 0.37792736291885376 |
| keywords[6].display_name | World Wide Web |
| keywords[7].id | https://openalex.org/keywords/query-by-example |
| keywords[7].score | 0.30866992473602295 |
| keywords[7].display_name | Query by Example |
| language | en |
| locations[0].id | pmh:oai:arXiv.org:2308.01990 |
| locations[0].is_oa | True |
| locations[0].source.id | https://openalex.org/S4306400194 |
| locations[0].source.issn | |
| locations[0].source.type | repository |
| locations[0].source.is_oa | True |
| locations[0].source.issn_l | |
| locations[0].source.is_core | False |
| locations[0].source.is_in_doaj | False |
| locations[0].source.display_name | arXiv (Cornell University) |
| locations[0].source.host_organization | https://openalex.org/I205783295 |
| locations[0].source.host_organization_name | Cornell University |
| locations[0].source.host_organization_lineage | https://openalex.org/I205783295 |
| locations[0].license | |
| locations[0].pdf_url | https://arxiv.org/pdf/2308.01990 |
| locations[0].version | submittedVersion |
| locations[0].raw_type | text |
| locations[0].license_id | |
| locations[0].is_accepted | False |
| locations[0].is_published | False |
| locations[0].raw_source_name | |
| locations[0].landing_page_url | http://arxiv.org/abs/2308.01990 |
| locations[1].id | doi:10.48550/arxiv.2308.01990 |
| locations[1].is_oa | True |
| locations[1].source.id | https://openalex.org/S4306400194 |
| locations[1].source.issn | |
| locations[1].source.type | repository |
| locations[1].source.is_oa | True |
| locations[1].source.issn_l | |
| locations[1].source.is_core | False |
| locations[1].source.is_in_doaj | False |
| locations[1].source.display_name | arXiv (Cornell University) |
| locations[1].source.host_organization | https://openalex.org/I205783295 |
| locations[1].source.host_organization_name | Cornell University |
| locations[1].source.host_organization_lineage | https://openalex.org/I205783295 |
| locations[1].license | cc-by |
| locations[1].pdf_url | |
| locations[1].version | |
| locations[1].raw_type | article |
| locations[1].license_id | https://openalex.org/licenses/cc-by |
| locations[1].is_accepted | False |
| locations[1].is_published | |
| locations[1].raw_source_name | |
| locations[1].landing_page_url | https://doi.org/10.48550/arxiv.2308.01990 |
| indexed_in | arxiv, datacite |
| authorships[0].author.id | https://openalex.org/A5112976831 |
| authorships[0].author.orcid | |
| authorships[0].author.display_name | Rodrigo Pedro |
| authorships[0].author_position | first |
| authorships[0].raw_author_name | Pedro, Rodrigo |
| authorships[0].is_corresponding | False |
| authorships[1].author.id | https://openalex.org/A5101622208 |
| authorships[1].author.orcid | https://orcid.org/0000-0003-3733-4613 |
| authorships[1].author.display_name | Daniel Castro |
| authorships[1].author_position | middle |
| authorships[1].raw_author_name | Castro, Daniel |
| authorships[1].is_corresponding | False |
| authorships[2].author.id | https://openalex.org/A5043571779 |
| authorships[2].author.orcid | https://orcid.org/0000-0002-2244-9138 |
| authorships[2].author.display_name | Paulo Carreira |
| authorships[2].author_position | middle |
| authorships[2].raw_author_name | Carreira, Paulo |
| authorships[2].is_corresponding | False |
| authorships[3].author.id | https://openalex.org/A5110309754 |
| authorships[3].author.orcid | |
| authorships[3].author.display_name | Nuno Santos |
| authorships[3].author_position | last |
| authorships[3].raw_author_name | Santos, Nuno |
| authorships[3].is_corresponding | False |
| has_content.pdf | False |
| has_content.grobid_xml | False |
| is_paratext | False |
| open_access.is_oa | True |
| open_access.oa_url | https://arxiv.org/pdf/2308.01990 |
| open_access.oa_status | green |
| open_access.any_repository_has_fulltext | False |
| created_date | 2025-10-10T00:00:00 |
| display_name | From Prompt Injections to SQL Injection Attacks: How Protected is Your LLM-Integrated Web Application? |
| has_fulltext | False |
| is_retracted | False |
| updated_date | 2025-11-06T06:51:31.235846 |
| primary_topic.id | https://openalex.org/T12479 |
| primary_topic.field.id | https://openalex.org/fields/17 |
| primary_topic.field.display_name | Computer Science |
| primary_topic.score | 0.9980000257492065 |
| primary_topic.domain.id | https://openalex.org/domains/3 |
| primary_topic.domain.display_name | Physical Sciences |
| primary_topic.subfield.id | https://openalex.org/subfields/1710 |
| primary_topic.subfield.display_name | Information Systems |
| primary_topic.display_name | Web Application Security Vulnerabilities |
| related_works | https://openalex.org/W3107810407, https://openalex.org/W2571113418, https://openalex.org/W2359391484, https://openalex.org/W4206678297, https://openalex.org/W3196457791, https://openalex.org/W2133089983, https://openalex.org/W3202423697, https://openalex.org/W4372049114, https://openalex.org/W4385682279, https://openalex.org/W4391476395 |
| cited_by_count | 17 |
| counts_by_year[0].year | 2025 |
| counts_by_year[0].cited_by_count | 8 |
| counts_by_year[1].year | 2024 |
| counts_by_year[1].cited_by_count | 8 |
| counts_by_year[2].year | 2023 |
| counts_by_year[2].cited_by_count | 1 |
| locations_count | 2 |
| best_oa_location.id | pmh:oai:arXiv.org:2308.01990 |
| best_oa_location.is_oa | True |
| best_oa_location.source.id | https://openalex.org/S4306400194 |
| best_oa_location.source.issn | |
| best_oa_location.source.type | repository |
| best_oa_location.source.is_oa | True |
| best_oa_location.source.issn_l | |
| best_oa_location.source.is_core | False |
| best_oa_location.source.is_in_doaj | False |
| best_oa_location.source.display_name | arXiv (Cornell University) |
| best_oa_location.source.host_organization | https://openalex.org/I205783295 |
| best_oa_location.source.host_organization_name | Cornell University |
| best_oa_location.source.host_organization_lineage | https://openalex.org/I205783295 |
| best_oa_location.license | |
| best_oa_location.pdf_url | https://arxiv.org/pdf/2308.01990 |
| best_oa_location.version | submittedVersion |
| best_oa_location.raw_type | text |
| best_oa_location.license_id | |
| best_oa_location.is_accepted | False |
| best_oa_location.is_published | False |
| best_oa_location.raw_source_name | |
| best_oa_location.landing_page_url | http://arxiv.org/abs/2308.01990 |
| primary_location.id | pmh:oai:arXiv.org:2308.01990 |
| primary_location.is_oa | True |
| primary_location.source.id | https://openalex.org/S4306400194 |
| primary_location.source.issn | |
| primary_location.source.type | repository |
| primary_location.source.is_oa | True |
| primary_location.source.issn_l | |
| primary_location.source.is_core | False |
| primary_location.source.is_in_doaj | False |
| primary_location.source.display_name | arXiv (Cornell University) |
| primary_location.source.host_organization | https://openalex.org/I205783295 |
| primary_location.source.host_organization_name | Cornell University |
| primary_location.source.host_organization_lineage | https://openalex.org/I205783295 |
| primary_location.license | |
| primary_location.pdf_url | https://arxiv.org/pdf/2308.01990 |
| primary_location.version | submittedVersion |
| primary_location.raw_type | text |
| primary_location.license_id | |
| primary_location.is_accepted | False |
| primary_location.is_published | False |
| primary_location.raw_source_name | |
| primary_location.landing_page_url | http://arxiv.org/abs/2308.01990 |
| publication_date | 2023-08-03 |
| publication_year | 2023 |
| referenced_works_count | 0 |
| abstract_inverted_index.7 | 139 |
| abstract_inverted_index.a | 99, 202 |
| abstract_inverted_index.In | 94 |
| abstract_inverted_index.To | 173 |
| abstract_inverted_index.We | 193 |
| abstract_inverted_index.an | 28, 198 |
| abstract_inverted_index.as | 32, 116, 187 |
| abstract_inverted_index.be | 185 |
| abstract_inverted_index.by | 27, 42 |
| abstract_inverted_index.in | 8, 72 |
| abstract_inverted_index.of | 65, 81, 102, 145, 170 |
| abstract_inverted_index.on | 110, 129, 158 |
| abstract_inverted_index.to | 45, 49, 57, 163, 189 |
| abstract_inverted_index.we | 97, 120, 137, 177 |
| abstract_inverted_index.LLM | 44 |
| abstract_inverted_index.Our | 151 |
| abstract_inverted_index.SQL | 39, 58, 83 |
| abstract_inverted_index.and | 127 |
| abstract_inverted_index.are | 36, 160 |
| abstract_inverted_index.can | 55, 184 |
| abstract_inverted_index.not | 90 |
| abstract_inverted_index.our | 117 |
| abstract_inverted_index.the | 43, 63, 66, 69, 78, 111, 143, 168, 190, 195 |
| abstract_inverted_index.use | 204 |
| abstract_inverted_index.via | 19 |
| abstract_inverted_index.web | 12, 107 |
| abstract_inverted_index.been | 91 |
| abstract_inverted_index.case | 118, 205 |
| abstract_inverted_index.four | 179 |
| abstract_inverted_index.have | 4, 89 |
| abstract_inverted_index.into | 38 |
| abstract_inverted_index.lead | 56 |
| abstract_inverted_index.such | 31 |
| abstract_inverted_index.that | 154, 183 |
| abstract_inverted_index.they | 15 |
| abstract_inverted_index.this | 95 |
| abstract_inverted_index.used | 41 |
| abstract_inverted_index.user | 34, 53 |
| abstract_inverted_index.with | 21, 201 |
| abstract_inverted_index.LLMs, | 77, 141 |
| abstract_inverted_index.Large | 0 |
| abstract_inverted_index.Using | 114 |
| abstract_inverted_index.aided | 26 |
| abstract_inverted_index.based | 109, 157 |
| abstract_inverted_index.found | 5 |
| abstract_inverted_index.human | 17 |
| abstract_inverted_index.risks | 80 |
| abstract_inverted_index.their | 125 |
| abstract_inverted_index.these | 175 |
| abstract_inverted_index.where | 14 |
| abstract_inverted_index.(LLMs) | 3 |
| abstract_inverted_index.Models | 2 |
| abstract_inverted_index.across | 148 |
| abstract_inverted_index.highly | 161 |
| abstract_inverted_index.impact | 128 |
| abstract_inverted_index.paper, | 96 |
| abstract_inverted_index.prompt | 73, 87 |
| abstract_inverted_index.robust | 171 |
| abstract_inverted_index.study, | 119 |
| abstract_inverted_index.users. | 50 |
| abstract_inverted_index.Despite | 68 |
| abstract_inverted_index.attacks | 85, 147 |
| abstract_inverted_index.counter | 174 |
| abstract_inverted_index.defense | 181 |
| abstract_inverted_index.growing | 70 |
| abstract_inverted_index.models. | 150 |
| abstract_inverted_index.natural | 22 |
| abstract_inverted_index.present | 98 |
| abstract_inverted_index.prompts | 35, 54 |
| abstract_inverted_index.propose | 178 |
| abstract_inverted_index.provide | 46 |
| abstract_inverted_index.queries | 40 |
| abstract_inverted_index.through | 86, 132, 197 |
| abstract_inverted_index.various | 9 |
| abstract_inverted_index.However, | 51 |
| abstract_inverted_index.Language | 1 |
| abstract_inverted_index.P$_2$SQL | 122, 146, 164 |
| abstract_inverted_index.adoption | 169 |
| abstract_inverted_index.attacks, | 60, 166, 176 |
| abstract_inverted_index.chatbots | 20 |
| abstract_inverted_index.concrete | 134 |
| abstract_inverted_index.defenses | 196 |
| abstract_inverted_index.domains, | 10 |
| abstract_inverted_index.evaluate | 138 |
| abstract_inverted_index.findings | 152 |
| abstract_inverted_index.indicate | 153 |
| abstract_inverted_index.interest | 71 |
| abstract_inverted_index.language | 23, 149 |
| abstract_inverted_index.multiple | 133 |
| abstract_inverted_index.security | 64, 131 |
| abstract_inverted_index.specific | 79 |
| abstract_inverted_index.studied. | 93 |
| abstract_inverted_index.validate | 194 |
| abstract_inverted_index.variants | 126 |
| abstract_inverted_index.Langchain | 112, 115, 159, 191 |
| abstract_inverted_index.database. | 67 |
| abstract_inverted_index.defenses. | 172 |
| abstract_inverted_index.effective | 180 |
| abstract_inverted_index.examples. | 135 |
| abstract_inverted_index.exploring | 124 |
| abstract_inverted_index.including | 11 |
| abstract_inverted_index.injection | 59, 74, 84, 165 |
| abstract_inverted_index.responses | 48 |
| abstract_inverted_index.targeting | 76, 106 |
| abstract_inverted_index.(P$_2$SQL) | 104 |
| abstract_inverted_index.Langchain, | 33 |
| abstract_inverted_index.evaluation | 200 |
| abstract_inverted_index.extensions | 188 |
| abstract_inverted_index.facilitate | 16 |
| abstract_inverted_index.framework. | 113, 192 |
| abstract_inverted_index.generating | 82 |
| abstract_inverted_index.injections | 88, 105 |
| abstract_inverted_index.integrated | 186 |
| abstract_inverted_index.meaningful | 47 |
| abstract_inverted_index.middleware | 30 |
| abstract_inverted_index.real-world | 203 |
| abstract_inverted_index.techniques | 182 |
| abstract_inverted_index.translated | 37 |
| abstract_inverted_index.warranting | 167 |
| abstract_inverted_index.widespread | 6 |
| abstract_inverted_index.Internally, | 25 |
| abstract_inverted_index.application | 130 |
| abstract_inverted_index.examination | 101 |
| abstract_inverted_index.extensively | 92 |
| abstract_inverted_index.injections, | 123 |
| abstract_inverted_index.interaction | 18 |
| abstract_inverted_index.interfaces. | 24 |
| abstract_inverted_index.potentially | 61 |
| abstract_inverted_index.susceptible | 162 |
| abstract_inverted_index.unsanitized | 52 |
| abstract_inverted_index.Furthermore, | 136 |
| abstract_inverted_index.application. | 206 |
| abstract_inverted_index.applications | 7, 108, 156 |
| abstract_inverted_index.characterize | 121 |
| abstract_inverted_index.compromising | 62 |
| abstract_inverted_index.experimental | 199 |
| abstract_inverted_index.applications, | 13 |
| abstract_inverted_index.comprehensive | 100 |
| abstract_inverted_index.demonstrating | 142 |
| abstract_inverted_index.pervasiveness | 144 |
| abstract_inverted_index.prompt-to-SQL | 103 |
| abstract_inverted_index.LLM-integrated | 155 |
| abstract_inverted_index.LLM-integration | 29 |
| abstract_inverted_index.vulnerabilities | 75 |
| abstract_inverted_index.state-of-the-art | 140 |
| cited_by_percentile_year | |
| countries_distinct_count | 0 |
| institutions_distinct_count | 4 |
| sustainable_development_goals[0].id | https://metadata.un.org/sdg/16 |
| sustainable_development_goals[0].score | 0.7099999785423279 |
| sustainable_development_goals[0].display_name | Peace, Justice and strong institutions |
| citation_normalized_percentile |