0

I made a short code which shows me exactly how many users are registered in my website.

$user_query = "SELECT id FROM users ORDER BY id";
$user_counter = ($user_query);
$user_counter_run = mysqli_query($conn, $user_counter);
$user_counting = mysqli_num_rows($user_counter_run);

I dont have much experience about SQL Injections... Im just wondering, can i get a SQL Injection by this code?

IchBinDuck
  • 19
  • 5
  • 1
    No, the above isn't open for SQL injections since it's a hard coded query without any dynamic values (like user input). I would recommend that you read through some articles about what SQL injections are, and it will become much clearer. – M. Eriksson Dec 25 '20 at 09:07
  • Thanks Magnus! I will check about SQL Injections to learn more about it – IchBinDuck Dec 25 '20 at 09:15
  • 1
    **That's NOT how you check the number of rows in the first place.** it should be a SELECT count(*) query. Imagine there will be a million rows. Gonna select them all only to get the count? – Your Common Sense Dec 25 '20 at 09:27
  • Out of curiosity, what are the parenthesis in `$user_counter = ($user_query);` trying to accomplish? – Álvaro González Dec 25 '20 at 12:39

1 Answers1

1

No, because the query is pre-defined. If the user was entering even a part of the query, then SQL injection would be possible.

Mateja
  • 271
  • 1
  • 11