Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The real solution is in principle easy: separate data from metadata https://kunnas.com/articles/the-content-is-the-attack-surfac...


If the action is decided by code based on metadata - then what is really the LLM task? And if you say that it is only the type of action that is decided by code - then this is maybe a mitigation - but the llm still can do a lot of harm. And also it is very limiting - using the llm to decide the action is very useful. This is different from SQL injection - where the action is determined by the code and the injection is really making a code parsing error.

It might still be the way to go - but calling it 'the real solution' is overselling it.


I believe it is the other way around: the LLM decides the type of action and the input to the action; the code validates the permission to act and the acceptability of the input. But, yes it is very different than SQL injection in that way.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: