The latest articles on DEV Community by baron (@zeredbaron). https://dev.to/zeredbaron https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3680508%2Fb8a2796f-c651-4602-842e-af2b6c670103.jpeg https://dev.to/zeredbaron en baron Fri, 26 Dec 2025 22:48:58 +0000 https://dev.to/zeredbaron/i-almost-let-an-llm-delete-my-database-heres-what-i-built-to-prevent-it-p7k https://dev.to/zeredbaron/i-almost-let-an-llm-delete-my-database-heres-what-i-built-to-prevent-it-p7k <p>Everyone's building "chat with your data" apps right now. Connect an LLM to your database, let it write SQL, execute the results. Magic.</p> <p>Until it isn't.</p> <h2> The Wake-Up Call </h2> <p>I was testing a GPT-4 agent connected to a staging database. Asked it to "clean up the test data from last week." </p> <p>It started generating DELETE statements.</p> <p>I caught it in time. But it got me thinking — there's literally nothing between the LLM and my database. One hallucination, one prompt injection, one bad day, and production data is gone.</p> <h2> The Problem </h2> <p>When you connect an AI to a database, you're giving it the keys to everything. Most setups look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User → LLM → SQL → Database </code></pre> </div> <p>No validation. No guardrails. The LLM can generate anything, and it gets executed.</p> <h2> The Solution </h2> <p>I built a simple validation layer that sits between the SQL source and your database:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User → LLM → SQL → ProxQL → Database ↓ (blocked) </code></pre> </div> <p>It's called ProxQL. Here's how it works:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">proxql</span> <span class="c1"># Safe queries pass through </span><span class="n">proxql</span><span class="p">.</span><span class="nf">is_safe</span><span class="p">(</span><span class="sh">"</span><span class="s">SELECT * FROM users</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># True </span> <span class="c1"># Destructive queries get blocked </span><span class="n">proxql</span><span class="p">.</span><span class="nf">is_safe</span><span class="p">(</span><span class="sh">"</span><span class="s">DROP TABLE users</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># False </span><span class="n">proxql</span><span class="p">.</span><span class="nf">is_safe</span><span class="p">(</span><span class="sh">"</span><span class="s">DELETE FROM logs</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># False </span> <span class="c1"># You can also restrict to specific tables </span><span class="n">result</span> <span class="o">=</span> <span class="n">proxql</span><span class="p">.</span><span class="nf">validate</span><span class="p">(</span> <span class="sh">"</span><span class="s">SELECT * FROM employees</span><span class="sh">"</span><span class="p">,</span> <span class="n">allowed_tables</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">products</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">orders</span><span class="sh">"</span><span class="p">]</span> <span class="p">)</span> <span class="n">result</span><span class="p">.</span><span class="n">is_safe</span> <span class="c1"># False </span><span class="n">result</span><span class="p">.</span><span class="n">reason</span> <span class="c1"># "Table 'employees' is not in allowed tables list" </span></code></pre> </div> <h2> What It Catches </h2> <p>Beyond basic statement types, it detects SQL injection patterns:</p> <p><strong>Hex encoding:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="mi">0</span><span class="n">x44524F50</span> <span class="c1">-- This is "DROP" in hex</span> </code></pre> </div> <p><strong>CHAR() abuse:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="nb">CHAR</span><span class="p">(</span><span class="mi">68</span><span class="p">)</span> <span class="o">||</span> <span class="nb">CHAR</span><span class="p">(</span><span class="mi">82</span><span class="p">)</span> <span class="o">||</span> <span class="nb">CHAR</span><span class="p">(</span><span class="mi">79</span><span class="p">)</span> <span class="o">||</span> <span class="nb">CHAR</span><span class="p">(</span><span class="mi">80</span><span class="p">)</span> <span class="c1">-- Spells "DROP"</span> </code></pre> </div> <p><strong>File access:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="n">pg_read_file</span><span class="p">(</span><span class="s1">'/etc/passwd'</span><span class="p">)</span> <span class="k">SELECT</span> <span class="n">LOAD_FILE</span><span class="p">(</span><span class="s1">'/etc/passwd'</span><span class="p">)</span> <span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">users</span> <span class="k">INTO</span> <span class="n">OUTFILE</span> <span class="s1">'/tmp/dump.txt'</span> </code></pre> </div> <p><strong>Unicode homoglyphs:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">users</span> <span class="k">WHERE</span> <span class="n">n</span><span class="err">а</span><span class="n">me</span> <span class="o">=</span> <span class="s1">'admin'</span> <span class="c1">-- That 'а' is Cyrillic, not ASCII</span> </code></pre> </div> <h2> Three Modes </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Mode</th> <th>What's Allowed</th> </tr> </thead> <tbody> <tr> <td><code>read_only</code></td> <td>SELECT only (default)</td> </tr> <tr> <td><code>write_safe</code></td> <td>SELECT, INSERT, UPDATE</td> </tr> <tr> <td><code>custom</code></td> <td>You define the rules</td> </tr> </tbody> </table></div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">proxql</span> <span class="kn">import</span> <span class="n">Validator</span> <span class="c1"># Read-only for analytics </span><span class="n">analytics</span> <span class="o">=</span> <span class="nc">Validator</span><span class="p">(</span><span class="n">mode</span><span class="o">=</span><span class="sh">"</span><span class="s">read_only</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Allow writes but block destructive ops </span><span class="n">api</span> <span class="o">=</span> <span class="nc">Validator</span><span class="p">(</span><span class="n">mode</span><span class="o">=</span><span class="sh">"</span><span class="s">write_safe</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Custom rules </span><span class="n">admin</span> <span class="o">=</span> <span class="nc">Validator</span><span class="p">(</span> <span class="n">mode</span><span class="o">=</span><span class="sh">"</span><span class="s">custom</span><span class="sh">"</span><span class="p">,</span> <span class="n">allowed_statements</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">SELECT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">INSERT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">UPDATE</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">DELETE</span><span class="sh">"</span><span class="p">],</span> <span class="n">blocked_statements</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">DROP</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">TRUNCATE</span><span class="sh">"</span><span class="p">]</span> <span class="p">)</span> </code></pre> </div> <h2> Works with Any SQL Source </h2> <p>Not just LLMs. Use it for:</p> <ul> <li>User-submitted queries in BI tools</li> <li>Automated pipelines</li> <li>API endpoints that accept SQL</li> <li>Any text-to-SQL workflow</li> </ul> <h2> Available in Python and TypeScript </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>proxql </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>proxql </code></pre> </div> <p>The API is identical in both:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">proxql</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">proxql</span><span class="dl">'</span><span class="p">;</span> <span class="nx">proxql</span><span class="p">.</span><span class="nf">isSafe</span><span class="p">(</span><span class="dl">"</span><span class="s2">SELECT * FROM users</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// true</span> <span class="nx">proxql</span><span class="p">.</span><span class="nf">isSafe</span><span class="p">(</span><span class="dl">"</span><span class="s2">DROP TABLE users</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// false</span> </code></pre> </div> <h2> Try It </h2> <p>GitHub: <a href="https://github.com/Zeredbaron/proxql" rel="noopener noreferrer">github.com/Zeredbaron/proxql</a></p> <p>It's open source (Apache 2.0). Would love feedback — especially on injection patterns I might be missing.</p> <p><em>What's the sketchiest SQL you've seen an LLM generate? Drop it in the comments.</em></p> sql python ai security