I have a small MySQL database with a few hundred rows (all in text, no images). I am requesting all the rows using iQuery and do all filtering at client end. iQuery code is the following:
$(document).ready( function () {
$.get("alldata.php", function(data){
$('#result').text(data);
});
});
On the server side, the "alldata.php" has the following code and pass the data in JSON back to iQuery:
$sql = "SELECT title FROM mydatabase";
$result = mysqli_query($conn, $sql);
$arr = array();
while($row = mysqli_fetch_assoc($result)){
$row_array['Title'] =$row['title'];
array_push($arr,$row_array);
}
mysqli_close($conn);
echo json_encode($arr);
It seems to me there will not be any risk of injection since there is NO user input submitted to the database. Am I right or wrong? Thanks a lot for your input!
You are right. Your SQL statement includes no parameters outside of itself, so there is no vector for injection. While injection attacks ARE possible on SELECT statements, in your case the query is not created dynamically so cannot be tampered with.
You are safe since there are no user input. A malicious user needs user input to inject query. So never trust user input.