isn't this whole problem category technologically solved by applying an approach equivalent to preventing SQL injection using prepared statements?
because at this point most "experts" seem to confuse talking to an LLM with having the LLM trigger an action. this whole censoring problem is of course tricky but if it's about keeping the LLM from pulling a good ole `format C` then this is done by feeding the LLM result into the interpreter as a prepared statement and control execution by run of the mill user rights management.
a lot of the discussion seems to me like rediscovering that you cannot validate XML using regular expressions.
No. People want to do things like summarization, sentiment analysis, chatting with the user, or doing a task given by the user, which will take an arbitrary string from the user. That arbitrary string can have a prompt injection in it.
You could be very strict on what you pass into to ensure nothing capable of being a prompt makes it in (eg. only allowing a number), but a LLM probably isn't the right tool in that case.
because at this point most "experts" seem to confuse talking to an LLM with having the LLM trigger an action. this whole censoring problem is of course tricky but if it's about keeping the LLM from pulling a good ole `format C` then this is done by feeding the LLM result into the interpreter as a prepared statement and control execution by run of the mill user rights management.
a lot of the discussion seems to me like rediscovering that you cannot validate XML using regular expressions.