How we keep your database queries read-only at every layer
A deep dive into our multi-layer SQL validation that prevents destructive queries from ever reaching your data.
The trust problem
When you give an AI agent access to your database, the first question is always the same: “What if it breaks something?” It’s a valid concern. A single misplaced DELETE or DROP statement could wipe out months of data.
At AI.RESEARCH.MY, we’ve designed a multi-layer defense system that makes destructive queries structurally impossible — not just unlikely, but impossible at the system level.
Layer 1: Query validation
Before any SQL query reaches your database, it passes through a regex-based validator. This validator checks every query against a blocklist of dangerous keywords: INSERT, UPDATE, DELETE, DROP, ALTER, TRUNCATE, CREATE, GRANT, and REVOKE.
Only SELECT, SHOW, DESCRIBE, and EXPLAIN statements are allowed through. Everything else is rejected before it even reaches the database connection.
Layer 2: Connection-level restrictions
Each project database is connected using credentials with read-only permissions at the MySQL level. Even if a destructive query somehow bypassed our application-level validation, the database server itself would reject it.
This defense-in-depth approach means no single point of failure can lead to data modification.
Layer 3: Result limiting
To prevent data exfiltration, all query results are capped at 1,000 rows. The response payload is also truncated at 15,000 characters. This ensures the agent can’t be tricked into extracting your entire database through clever SELECT queries.
These limits are enforced at the tool execution level, not the agent level — so they can’t be overridden by prompt injection or creative conversation.
“Security isn’t a feature you add. It’s an architecture you build.”
Project isolation
Every project in AI.RESEARCH.MY has its own database credentials. Users can only query databases for projects they’ve been explicitly assigned to by an administrator. There’s no way to access another project’s data, even if you know the database name.
This multi-tenant isolation extends to file access, workspace directories, and API endpoints. Every request is scoped to the authenticated user’s permissions.
