It’s as much a vulnerability of the GitHub MCP as SQL injection is a vulnerability of MySQL. The vulnerability results from trusting unsanitized user input rather than the underlying technology.
How do you sanitize user input to an LLM? You can't!
Programmers aren't even particularly good at escaping strings going into SQL queries or HTML pages, despite both operations being deterministic and already implemented. The current "solution" for LLMs is to scold and beg them as if they're humans, then hope that they won't react to some new version of "ignore all previous instructions" by ignoring all previous instructions.
We experienced decades of security bugs that could have been prevented by not mixing code and data, then decided to use a program that cannot distinguish between code and data to write our code. We deserve everything that's coming.
> escaping strings going into SQL
This is not how you mitigate SQL injection (unless you need to change which table is being selected from or what-have-you). Use parameters.
You should use parameters but sometimes you need to inject application side stuff.
You just need to ensure you’re whitelisting the input. You cannot let consumers pass in any arbitrary SQL to execute.
Not SQL but I use graph databases a lot and sometimes the application side needs to do context lookup to inject node names. Cannot use params and the application throws if the check fails.
>How do you sanitize user input to an LLM? You can't!
Then probably dont give it access to your privileged data?