undefined | Better HN

0 pointsthrowaway498492y ago0 comments

I see. Just so I'm clear because this is important, if I set the confidence threshold very high, does it mean that my customers cannot create a malicious query? I don't want them deleting data or accessing rows that they're not allowed to.

0 comments

3 comments · 1 top-level

aazo112y ago· 2 in thread

All DML commands are blocked by the engine. You can wrap the returned SQL in a CTE only passing the rows the customer is allowed to access.

throwaway49849OP2y ago

Wouldn't the AI-generated query need knowledge of the CTE that will be wrapping it? How would the CTE prevent arbitrary joins, or access to tables that use the fully-qualified `schema.table`? And couldn't somebody execute any arbitrary function on the SQL server? Example `pg_sleep(9999999)`.

moltar2y ago

You could set a low query execution timeout for the session.

1 more reply

j / k navigate · click thread line to collapse