Reputation: 990
SQL Injection without direct user input
In order to prevent SQL Injection for my site, i have used prepared statements.
Now let's say i use somewhere in my code, a simple SQL query like this :
SELECT DATA FROM DATABLE;
Is this code prone to injection ? Well it seems to me that's not possible to be, as there is no user input.But i just want to be sure.
Upvotes: 1
Views: 2625
Answers (2)
Reputation: 218
Inject is only possible if you use a variable in your query.
If you use prepaired statements with params it is not possible.
select * from user where id = ?
You cannot change this query, only the value, in that case you will just get no results
If you use
select * from user where id = '$id'
now depending on the value of $id we can have a sql inject. If $id would be "0' or id > 0 " you will allways login ;)
Upvotes: 0
Reputation: 943
If your statement is fixed (has no outside parameters), then it is immune to injection.
So if your code looks something like this:
result = RunQuery("SELECT * FROM Table")
then you are safe, since the query will always be the same everytime and cannot be influenced by users.
Upvotes: 5
Related Questions
- How can I securely allow user defined SQL queries?
- Is this a good approach for avoiding SQL injection?
- SQL Security - creating a secure SQL command
- SQL Injection Method
- validate sql query in non paremetrized sql query for security issues
- SQL Injection assistance required
- SQL Injection using only password input
- Non-programmatic prevention of SQL injection
- SQL Injection: is this secure?
- Can I avoid all SQL-injection attacks by using parameters?