douningqiu4991 2015-08-02 18:58 采纳率: 0%
浏览 36
已采纳

如果没有用户输入发送到数据库,是否存在任何注入风险?

I have a small MySQL database with a few hundred rows (all in text, no images). I am requesting all the rows using iQuery and do all filtering at client end. iQuery code is the following:

$(document).ready( function () {
     $.get("alldata.php", function(data){
         $('#result').text(data);
     });  
});

On the server side, the "alldata.php" has the following code and pass the data in JSON back to iQuery:

$sql = "SELECT title FROM mydatabase";
$result =  mysqli_query($conn, $sql);
$arr = array(); 

while($row = mysqli_fetch_assoc($result)){
    $row_array['Title'] =$row['title'];
    array_push($arr,$row_array);
}
mysqli_close($conn);

echo json_encode($arr);

It seems to me there will not be any risk of injection since there is NO user input submitted to the database. Am I right or wrong? Thanks a lot for your input!

  • 写回答

2条回答 默认 最新

  • dps57553 2015-08-02 19:00
    关注

    You are right. Your SQL statement includes no parameters outside of itself, so there is no vector for injection. While injection attacks ARE possible on SELECT statements, in your case the query is not created dynamically so cannot be tampered with.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 使用ue5插件narrative时如何切换关卡也保存叙事任务记录
  • ¥20 软件测试决策法疑问求解答
  • ¥15 win11 23H2删除推荐的项目,支持注册表等
  • ¥15 matlab 用yalmip搭建模型,cplex求解,线性化处理的方法
  • ¥15 qt6.6.3 基于百度云的语音识别 不会改
  • ¥15 关于#目标检测#的问题:大概就是类似后台自动检测某下架商品的库存,在他监测到该商品上架并且可以购买的瞬间点击立即购买下单
  • ¥15 神经网络怎么把隐含层变量融合到损失函数中?
  • ¥15 lingo18勾选global solver求解使用的算法
  • ¥15 全部备份安卓app数据包括密码,可以复制到另一手机上运行
  • ¥20 测距传感器数据手册i2c