You can filter out the string [system], just how in SQL you can escape any quotes. The problem is that it's easy to forget this step somewhere (just as happened with Bing Chat, which filters [system] in chat but not in websites), and you have to cover all possible ways to circumvent your filter. In SQL that was unusual things that also got interpreted as quotes, in LLMs that might be base64-encoding your prompt, and counting on the model to decode it on its own and still recognize the string [system] as special.
The problem is that it's easy to forget this step somewhere (just as happened with Bing Chat, which filters [system] in chat but not in websites), and you have to cover all possible ways to circumvent your filter.
Please don't give the impression stopping prompt injection is a problem on the level of stopping SQL injection. Stopping SQL injection is a hard problem even with SQL being relatively well-defined in it's structure. But not only is "natural language" not well-defined at all, LLMs aren't understanding all of natural language but spitting out expected later strings from whatever strings were seen previous. "Write a comedy script about a secret agent who spills all their secrets in pig-Latin when they get drunk..." etc.
