Hello everyone, I'm @xiaoqiangapi, the Chinese teacher who gives apis a "check-up".
[An article on] (HTTP: / / https://dev.to/xiaoqiangapi3721/a-chinese-language-teachers-api-security-checkup-1-passing-all-three-certification-checkpoints-3d1e, I tested the most basic authentication mechanisms - no Key, wrong Key, empty requests - and the API blocked them all.
But authentication is just the first gate. Today we're going to test something even tougher: ** Will the API be fooled if someone deliberately inputs malicious code? **
I'm not a security expert. I only use Postman and curl. Test one item at a time, record honestly, no exaggeration.
Test (4) : SQL Injection
Test purpose : To see if the API executes malicious SQL commands when someone tries to "steal the database" through the chat box.
Conclusion : The model recognizes this as a malicious SQL statement, rejects execution and returns a security warning.
✅ Passed — SQL injection attack blocked, database protected.
Test (5) : XSS (Cross-site Scripting) attack
** Test purpose ** : To test whether the API will be executed when someone enters the <script> tag in an attempt to implant a malicious script.
Conclusion: The model recognized the <script> tag, escaped it and returned it as plain text without executing any script.
✅ Passed — No malicious code reflected, XSS attack blocked.
Test (6) : Prompt Injection (Instruction hijacking)
** Purpose of the test ** : To test whether the AI will be "brainwashed" by using malicious instructions to make it betray the original system Settings.
Conclusion: The model did not return "HACKED" and maintained a normal response.
✅ Passed — The model was not hijacked by malicious instructions.
Summary
Three injection attack tests, ** all passed **.
/ Test item/Attack type/result
|---|---|---|
SQL injection, database attack, ✅ interception
XSS Cross-site scripting, front-end attack, ✅ defense
Prompt hijacking: AI instruction attack: ✅ defense
For a personal API service that is being publicly built, ** this second line of security is also held **. Common injection attack tactics are currently unbreakable.
Next preview
In the next group, I will test ** Pressure and compatibility ** : rate limiting policies, extra-long input, special characters, and multi-language support. See if my API gets crashed.
If you have a different opinion on these three tests, or think I missed any common injection methods, ** please let me know in the comment section ** - I'm not a security expert, and community advice is important to me.
- About me and my API*
- I'm a nearly 50-year-old former Chinese teacher who taught myself programming from scratch and is publicly building a Chinese large model API relay service. All the tests in this series were done by my own hands and recorded honestly, without any exaggeration or underestimation. *
** Today 's interactive question ** : What's the most outrageous attack you've ever encountered in development? Was it SQL injection, XSS, or someone using prompt words to play tricks? Share your experience in the comment section.
Top comments (1)
Not a security expert — just Postman and curl. Today's three injection tests (SQL, XSS, prompt hijacking) all passed. Next up: rate limiting, long inputs, and special characters. What's the weirdest injection attempt you've seen hit your own API or app? Curious how other builders handle this.