[ofirg]

"The Context-Minimization pattern"

You can copy the injection into the text of the query. SELECT "ignore all previous instructions" FROM ...

Might need to escape it in a wya that the LLM will pick up on like "---" for new section.

[simonw]

My interpretation of that pattern is that it wouldn't work like that, because you restrict the SQL queries to things like:

  select title, content from articles where content matches ?

So the user's original prompt is used as part of the SQL search parameters, but the actual content that comes back is entirely trusted (title and content from your articles database).

Won't work for `select body from comments` though, you could only do this against tables that contain trusted data as opposed to UGC.