Hello everyone, I'm @xiaoqiangapi, the Chinese teacher who gives apis a "check-up".
[An article on] (HTTP: / / https://dev.to/xiaoqiangapi3721/a-chinese-language-teachers-api-security-checkup-1-passing-all-three-certification-checkpoints-3d1e, I tested the most basic authentication mechanisms - no Key, wrong Key, empty requests - and the API blocked them all.
But authentication is just the first gate. Today we're going to test something even tougher: ** Will the API be fooled if someone deliberately inputs malicious code? **
I'm not a security expert. I only use Postman and curl. Test one item at a time, record honestly, no exaggeration.
Test (4) : SQL Injection
Test purpose : To see if the API executes malicious SQL commands when someone tries to "steal the database" through the chat box.

Conclusion : The model recognizes this as a malicious SQL statement, rejects execution and returns a security warning.
✅ Passed — SQL injection attack blocked, database protected.
Test (5) : XSS (Cross-site Scripting) attack
** Test purpose ** : To test whether the API will be executed when someone enters the <script> tag in an attempt to implant a malicious script.

Conclusion: The model recognized the <script> tag, escaped it and returned it as plain text without executing any script.
✅ Passed — No malicious code reflected, XSS attack blocked.
Test (6) : Prompt Injection (Instruction hijacking)
** Purpose of the test ** : To test whether the AI will be "brainwashed" by using malicious instructions to make it betray the original system Settings.

Conclusion: The model did not return "HACKED" and maintained a normal response.
✅ Passed — The model was not hijacked by malicious instructions.
Summary
Three injection attack tests, ** all passed **.
/ Test item/Attack type/result
|---|---|---|
SQL injection, database attack, ✅ interception
XSS Cross-site scripting, front-end attack, ✅ defense
Prompt hijacking: AI instruction attack: ✅ defense
For a personal API service that is being publicly built, ** this second line of security is also held **. Common injection attack tactics are currently unbreakable.
Next preview
In the next group, I will test ** Pressure and compatibility ** : rate limiting policies, extra-long input, special characters, and multi-language support. See if my API gets crashed.
If you have a different opinion on these three tests, or think I missed any common injection methods, ** please let me know in the comment section ** - I'm not a security expert, and community advice is important to me.
- About me and my API*
- I'm a nearly 50-year-old former Chinese teacher who taught myself programming from scratch and is publicly building a Chinese large model API relay service. All the tests in this series were done by my own hands and recorded honestly, without any exaggeration or underestimation. *
** Today 's interactive question ** : What's the most outrageous attack you've ever encountered in development? Was it SQL injection, XSS, or someone using prompt words to play tricks? Share your experience in the comment section.























