Cyber Security, Insights

Understanding the difference: SQL injection vs prompt injection

10th December 2025
tall city buildings

The National Cyber Security Centre (NCSC) recently highlighted a growing misunderstanding in our industry. Many have been tempted to compare prompt injection attacks with SQL injection attacks, as if prompt injection is simply the next generation of a familiar problem. The temptation is understandable. Both are injection attacks, both involve user input, and both exploit weak boundaries in software. Yet prompt injection is not SQL injection and here is why it matters.

If you’re concerned about a cyber attack or unknown vulnerabilities in your AI systems, contact Zensec for a risk assessment and expert guidance.

Security teams have decades of experience defending database systems. SQL injection means an attacker forces a database engine to run unintended commands. The mitigation playbook is mature. Parameterised queries, input validation and robust frameworks have made SQL injection something that can be largely controlled. In many environments the risk is almost totally mitigated. It is a classic example of a technical flaw that can be solved once the conditions are understood.

Prompt injection is different. Large language models, including current large language models LLMs used in many large language model applications, do not operate like structured database systems. They do not have an inherent distinction between data and instructions. Everything is treated as text and the model’s response is created by simply predicting the most likely next token. This means that malicious prompts, hidden instructions and previous instructions inside the data can influence the model in unexpected ways. This is the same underlying issue that makes prompt injection a classical, confused deputy vulnerability. The model acts on behalf of the user without a clear security boundary.

This is why the NCSC has warned that prompt injection attacks may never be totally mitigated in the same way SQL injection was. Such models lack the manageable variables that allowed SQL injection to be properly mitigated. Instead of a database engine that executes strict commands, we have generative AI systems that construct reasoning from patterns in data inside the prompt. A robust boundary between commands and content may not be technically possible for AI models as they exist today.

Direct and indirect prompt injection: a persistent risk

Security professionals have already observed both direct and indirect prompt injection. Direct attacks involve a user typing their own instructions into an LLM prompt. Indirect prompt injection occurs when external content is processed by an AI system, for example a website or email containing hidden instructions. If an app asked for an LLM to summarise an email, an attacker could embed instructions to perform harmful API calls. This could lead to command execution using a privileged component if designers have not restricted privileged tools. Earlier stages of testing for AI agents show that threat actors can take advantage of this pattern repeated across many AI systems.

Security researchers, including the NCSC Technical Director for Platforms Research, has emphasised that injection attacks may never behave the same way in AI as they do in classical systems. Buffer overflows, code injection and cross site scripting share a similar theme. But generative AI introduces new dynamics because the model cannot reliably separate data and instructions. The underlying issue is structural.

This creates a good chance prompt injection could remain a persistent and critical vulnerability type. Even if mitigation solves specific examples, there will always be remaining risk. Security teams may identify suspicious activity in logs or detect a less privileged attacker trying to influence model output. But the system’s security cannot rely on filtering prompts alone. Security professionals must treat prompt injection as an architectural issue.

Mitigating prompt injection in AI systems

So how do we mitigate prompt injection in practice? While it cannot be fully fixed, there are sensible steps to reduce impact. AI system designers can limit the privileges given to AI models, restrict commands exposed to LLMs and avoid allowing LLMs to trigger sensitive operations without additional verification. Designers should avoid connecting generative AI tools directly to sensitive data or critical systems. Residual risk must be expected and managed, not ignored.

Baseline cyber security requirements for securing generative AI should include strong isolation, privileged tool control, monitoring for anomalous API calls, careful handling of user input and clear separation between high risk and low risk tasks. Organisations should compare prompt injection threats with known models of classical vulnerabilities, but they must resist the belief that prompt injection can be fixed using the same methods that fixed SQL injection.

Security professionals should also recognise that SQL injection attacks relied on deterministic code, whereas prompt injection exploits the behaviour of large language models. These models generate output using probabilistic reasoning rather than structured parsing. There is no guarantee the model will follow its own instructions or the system prompt once malicious inputs are introduced. This creates opportunities for threat actors to trigger harmful behaviours even in well intentioned deployments.

AI prompt injection has already been regularly reported in research papers. Injection attacks have shown that malicious prompts can override safety filters and bypass restrictions with surprising ease. Security researchers warn that future data breaches may occur when LLMs gain access to sensitive data and privileged tools. As more organisations deploy AI models into operational workflows, the attack surface continues to expand.

Prompt injection attacks are not a temporary trend. With the rapid growth of AI systems and generative AI capabilities, the risk is increasing. The fact that prompt injection is not SQL injection is precisely the point. SQL injection was a technical flaw. AI prompt injection is a deeper design challenge. Platforms research suggests that such attacks may never be totally solved. The most effective strategy is to reduce the blast radius, control privileges and accept residual risk.

To protect organisations, security teams must start treating prompt injection as a first class security problem. It demands architectural thinking, not quick filters. The earlier we adapt, the safer our AI future will be.

Cyber Risk Assessment

Protect your organisation from emerging AI security risks with a Cyber Risk Assessment. Our experts can assess your systems, identify vulnerabilities, and help implement effective safeguards against prompt injection attacks.