Back to course

Preventing SQL Injection in MCP

Model Context Protocol (MCP) Server Engineering

Security: SQL Injection

Never let an LLM run raw SQL queries on a production database. The LLM might be manipulated to delete data.

Safer Alternatives

  1. Use Parameterized Queries.
  2. Only allow specific, pre-defined functions (e.g., get_user_by_id).

Assignment: Refactor your query_db tool to use prepared statements.