{"id":"https://openalex.org/W7109089714","doi":"https://doi.org/10.1145/3769762","title":"Are Your LLM-based Text-to-SQL Models Secure? Exploring SQL Injection via Backdoor Attacks","display_name":"Are Your LLM-based Text-to-SQL Models Secure? Exploring SQL Injection via Backdoor Attacks","publication_year":2025,"publication_date":"2025-12-04","ids":{"openalex":"https://openalex.org/W7109089714","doi":"https://doi.org/10.1145/3769762"},"language":"en","primary_location":{"id":"doi:10.1145/3769762","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3769762","pdf_url":null,"source":{"id":"https://openalex.org/S4387289859","display_name":"Proceedings of the ACM on Management of Data","issn_l":"2836-6573","issn":["2836-6573"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the ACM on Management of Data","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":null,"display_name":"Meiyu Lin","orcid":"https://orcid.org/0009-0000-9057-9260"},"institutions":[{"id":"https://openalex.org/I24185976","display_name":"Sichuan University","ror":"https://ror.org/011ashp19","country_code":"CN","type":"education","lineage":["https://openalex.org/I24185976"]}],"countries":["CN"],"is_corresponding":true,"raw_author_name":"Meiyu Lin","raw_affiliation_strings":["Sichuan University, Chengdu, China"],"affiliations":[{"raw_affiliation_string":"Sichuan University, Chengdu, China","institution_ids":["https://openalex.org/I24185976"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Haichuan Zhang","orcid":"https://orcid.org/0009-0005-0288-2937"},"institutions":[{"id":"https://openalex.org/I24185976","display_name":"Sichuan University","ror":"https://ror.org/011ashp19","country_code":"CN","type":"education","lineage":["https://openalex.org/I24185976"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Haichuan Zhang","raw_affiliation_strings":["Sichuan University, Chengdu, China"],"affiliations":[{"raw_affiliation_string":"Sichuan University, Chengdu, China","institution_ids":["https://openalex.org/I24185976"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Jiale Lao","orcid":"https://orcid.org/0009-0003-1144-5152"},"institutions":[{"id":"https://openalex.org/I205783295","display_name":"Cornell University","ror":"https://ror.org/05bnh6r87","country_code":"US","type":"education","lineage":["https://openalex.org/I205783295"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Jiale Lao","raw_affiliation_strings":["Cornell University, Ithaca, NY, USA"],"affiliations":[{"raw_affiliation_string":"Cornell University, Ithaca, NY, USA","institution_ids":["https://openalex.org/I205783295"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Renyuan Li","orcid":"https://orcid.org/0009-0008-6664-6396"},"institutions":[{"id":"https://openalex.org/I24185976","display_name":"Sichuan University","ror":"https://ror.org/011ashp19","country_code":"CN","type":"education","lineage":["https://openalex.org/I24185976"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Renyuan Li","raw_affiliation_strings":["Sichuan University, Chengdu, China"],"affiliations":[{"raw_affiliation_string":"Sichuan University, Chengdu, China","institution_ids":["https://openalex.org/I24185976"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Yuanchun Zhou","orcid":"https://orcid.org/0000-0003-2144-1131"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Yuanchun Zhou","raw_affiliation_strings":["Chinese Academy of Science, Beijing, China"],"affiliations":[{"raw_affiliation_string":"Chinese Academy of Science, Beijing, China","institution_ids":[]}]},{"author_position":"middle","author":{"id":null,"display_name":"Carl Yang","orcid":"https://orcid.org/0000-0001-9145-4531"},"institutions":[{"id":"https://openalex.org/I150468666","display_name":"Emory University","ror":"https://ror.org/03czfpz43","country_code":"US","type":"education","lineage":["https://openalex.org/I150468666"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Carl Yang","raw_affiliation_strings":["Emory University, Atlanta, USA"],"affiliations":[{"raw_affiliation_string":"Emory University, Atlanta, USA","institution_ids":["https://openalex.org/I150468666"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Yang Cao","orcid":"https://orcid.org/0000-0002-6424-8633"},"institutions":[{"id":"https://openalex.org/I4400009020","display_name":"Institute of Science Tokyo","ror":"https://ror.org/05dqf9946","country_code":null,"type":"education","lineage":["https://openalex.org/I4400009020"]}],"countries":["JP"],"is_corresponding":false,"raw_author_name":"Yang Cao","raw_affiliation_strings":["Institute of Science Tokyo, Tokyo, Japan"],"affiliations":[{"raw_affiliation_string":"Institute of Science Tokyo, Tokyo, Japan","institution_ids":["https://openalex.org/I4400009020"]}]},{"author_position":"last","author":{"id":null,"display_name":"Mingjie Tang","orcid":"https://orcid.org/0000-0002-8893-4574"},"institutions":[{"id":"https://openalex.org/I24185976","display_name":"Sichuan University","ror":"https://ror.org/011ashp19","country_code":"CN","type":"education","lineage":["https://openalex.org/I24185976"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Mingjie Tang","raw_affiliation_strings":["Sichuan University, Chengdu, China"],"affiliations":[{"raw_affiliation_string":"Sichuan University, Chengdu, China","institution_ids":["https://openalex.org/I24185976"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":8,"corresponding_author_ids":[],"corresponding_institution_ids":["https://openalex.org/I24185976"],"apc_list":null,"apc_paid":null,"fwci":10.4164,"has_fulltext":false,"cited_by_count":3,"citation_normalized_percentile":{"value":0.98096633,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":91,"max":100},"biblio":{"volume":"3","issue":"6","first_page":"1","last_page":"27"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.8187000155448914,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.8187000155448914,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.09920000284910202,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11986","display_name":"Scientific Computing and Data Management","score":0.012199999764561653,"subfield":{"id":"https://openalex.org/subfields/1802","display_name":"Information Systems and Management"},"field":{"id":"https://openalex.org/fields/18","display_name":"Decision Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/backdoor","display_name":"Backdoor","score":0.9948999881744385},{"id":"https://openalex.org/keywords/executable","display_name":"Executable","score":0.6388000249862671},{"id":"https://openalex.org/keywords/covert","display_name":"Covert","score":0.5845999717712402},{"id":"https://openalex.org/keywords/sql-injection","display_name":"SQL injection","score":0.5655999779701233},{"id":"https://openalex.org/keywords/sql","display_name":"SQL","score":0.5396000146865845},{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.4352000057697296},{"id":"https://openalex.org/keywords/relational-database","display_name":"Relational database","score":0.414000004529953},{"id":"https://openalex.org/keywords/intrusion-detection-system","display_name":"Intrusion detection system","score":0.3149999976158142}],"concepts":[{"id":"https://openalex.org/C2781045450","wikidata":"https://www.wikidata.org/wiki/Q254569","display_name":"Backdoor","level":2,"score":0.9948999881744385},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7799000144004822},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6832000017166138},{"id":"https://openalex.org/C160145156","wikidata":"https://www.wikidata.org/wiki/Q778586","display_name":"Executable","level":2,"score":0.6388000249862671},{"id":"https://openalex.org/C2779338814","wikidata":"https://www.wikidata.org/wiki/Q5179285","display_name":"Covert","level":2,"score":0.5845999717712402},{"id":"https://openalex.org/C150451098","wikidata":"https://www.wikidata.org/wiki/Q506059","display_name":"SQL injection","level":5,"score":0.5655999779701233},{"id":"https://openalex.org/C510870499","wikidata":"https://www.wikidata.org/wiki/Q47607","display_name":"SQL","level":2,"score":0.5396000146865845},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.4352000057697296},{"id":"https://openalex.org/C5655090","wikidata":"https://www.wikidata.org/wiki/Q192588","display_name":"Relational database","level":2,"score":0.414000004529953},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.3149999976158142},{"id":"https://openalex.org/C67186912","wikidata":"https://www.wikidata.org/wiki/Q367664","display_name":"Data modeling","level":2,"score":0.310699999332428},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.3093999922275543},{"id":"https://openalex.org/C29024540","wikidata":"https://www.wikidata.org/wiki/Q1476964","display_name":"Covert channel","level":5,"score":0.30559998750686646},{"id":"https://openalex.org/C56288433","wikidata":"https://www.wikidata.org/wiki/Q58673","display_name":"Data manipulation language","level":2,"score":0.28790000081062317},{"id":"https://openalex.org/C121822524","wikidata":"https://www.wikidata.org/wiki/Q5157582","display_name":"Computer security model","level":2,"score":0.2799000144004822},{"id":"https://openalex.org/C195324797","wikidata":"https://www.wikidata.org/wiki/Q33742","display_name":"Natural language","level":2,"score":0.2791999876499176},{"id":"https://openalex.org/C77088390","wikidata":"https://www.wikidata.org/wiki/Q8513","display_name":"Database","level":1,"score":0.266400009393692},{"id":"https://openalex.org/C158251709","wikidata":"https://www.wikidata.org/wiki/Q354025","display_name":"Intrusion","level":2,"score":0.26100000739097595},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.25760000944137573},{"id":"https://openalex.org/C174333608","wikidata":"https://www.wikidata.org/wiki/Q19635","display_name":"Trojan","level":2,"score":0.25360000133514404}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3769762","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3769762","pdf_url":null,"source":{"id":"https://openalex.org/S4387289859","display_name":"Proceedings of the ACM on Management of Data","issn_l":"2836-6573","issn":["2836-6573"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the ACM on Management of Data","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[{"score":0.7422428131103516,"id":"https://metadata.un.org/sdg/16","display_name":"Peace, Justice and strong institutions"}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":35,"referenced_works":["https://openalex.org/W2037786632","https://openalex.org/W2753783305","https://openalex.org/W2807363941","https://openalex.org/W2890431379","https://openalex.org/W2934843808","https://openalex.org/W2970641574","https://openalex.org/W2986013765","https://openalex.org/W2989011483","https://openalex.org/W3035367371","https://openalex.org/W3109409894","https://openalex.org/W3128663834","https://openalex.org/W3170572542","https://openalex.org/W3176270593","https://openalex.org/W3204619801","https://openalex.org/W3205696278","https://openalex.org/W3210951978","https://openalex.org/W3214600982","https://openalex.org/W4214680449","https://openalex.org/W4366660081","https://openalex.org/W4381326864","https://openalex.org/W4382202531","https://openalex.org/W4385570661","https://openalex.org/W4385571902","https://openalex.org/W4389519254","https://openalex.org/W4392453936","https://openalex.org/W4396571402","https://openalex.org/W4398234583","https://openalex.org/W4399175046","https://openalex.org/W4401213616","https://openalex.org/W4402042542","https://openalex.org/W4402043038","https://openalex.org/W4402264152","https://openalex.org/W4404782283","https://openalex.org/W4405181600","https://openalex.org/W4407356147"],"related_works":[],"abstract_inverted_index":{"Large":[0],"language":[1,11,125],"models":[2,42,59],"(LLMs)":[3],"have":[4],"shown":[5],"state-of-the-art":[6],"results":[7],"in":[8,124,140],"translating":[9],"natural":[10],"questions":[12],"into":[13,41],"SQL":[14,102,115,127],"queries":[15],"(Text-to-SQL),":[16],"a":[17,63,148],"long-standing":[18],"challenge":[19],"within":[20],"the":[21,31,54,109,168,176],"database":[22,152],"community.":[23],"However,":[24],"security":[25,120],"concerns":[26],"remain":[27,88],"largely":[28],"unexplored,":[29],"particularly":[30],"threat":[32],"of":[33,56,111,135,145,178],"backdoor":[34,65,106,182],"attacks,":[35],"which":[36,117],"can":[37,138],"introduce":[38],"malicious":[39,86,112],"behaviors":[40,87],"through":[43],"fine-tuning":[44],"with":[45],"poisoned":[46,136],"datasets.":[47],"In":[48],"this":[49],"work,":[50],"we":[51,99,155],"systematically":[52],"investigate":[53],"vulnerabilities":[55],"LLM-based":[57],"Text-to-SQL":[58,173],"and":[60,73,82,121,158],"present":[61],"ToxicSQL,":[62],"novel":[64],"attack":[66,142],"framework.":[67],"Our":[68,165],"approach":[69],"leverages":[70],"stealthy":[71],"command-like":[72],"character-level":[74],"triggers":[75],"to":[76,80,151,161],"make":[77],"backdoors":[78],"difficult":[79],"detect":[81],"remove,":[83],"ensuring":[84],"that":[85,131],"covert":[89],"while":[90],"maintaining":[91],"high":[92],"model":[93,163],"accuracy":[94],"on":[95],"benign":[96],"inputs.":[97],"Furthermore,":[98],"propose":[100,156],"leveraging":[101],"injection":[103],"payloads":[104],"as":[105],"targets,":[107],"enabling":[108],"generation":[110],"yet":[113],"executable":[114],"queries,":[116],"pose":[118],"severe":[119],"privacy":[122],"risks":[123],"model-based":[126],"development.":[128],"We":[129],"demonstrate":[130],"injecting":[132],"only":[133],"0.44%":[134],"data":[137],"result":[139],"an":[141],"success":[143],"rate":[144],"79.41%,":[146],"posing":[147],"significant":[149],"risk":[150],"security.":[153],"Additionally,":[154],"detection":[157],"mitigation":[159],"strategies":[160],"enhance":[162],"reliability.":[164],"findings":[166],"highlight":[167],"urgent":[169],"need":[170],"for":[171],"security-aware":[172],"development,":[174],"emphasizing":[175],"importance":[177],"robust":[179],"defenses":[180],"against":[181],"threats.":[183]},"counts_by_year":[{"year":2026,"cited_by_count":2},{"year":2025,"cited_by_count":1}],"updated_date":"2025-12-06T23:14:57.273132","created_date":"2025-12-06T00:00:00"}