Do I still need to protect my code against SQL injection when I'm not using variables in SQL queries?
Is this code still vulnerable?:
$result = mysqli_query($connect,"SELECT subsubcat_name FROM subsubcategories WHERE subcat_ID = 4");
while ($row=mysqli_fetch_array($result)){
echo $row['subsubcat_name'];
echo '<br>';
}
Since the SQL query is just a fixed string, there is no chance for SQL injection.
However, the way you print the output is a concern, because you fail to escape it for HTML. For example, if one of the subsubcat_names contains a < character, then it might be interpreted as an HTML tag.
In the worst case, if subsubcat_name contains a malicious string like <script>while (true) alert("Ha ha");</script>, it would be executed by the browser as JavaScript. Cross-site scripting attacks like that can be used, for example, to steal login credentials.
To prevent such accidental or malicious breakage, you should call htmlspecialchars():
echo htmlspecialchars($row['subsubcat_name']);
Even if the subsubcat_names are not under user control, it's still good programming practice to ensure correctness by escaping all HTML output as HTML.
it is not necessary for queries without external variable may have a protection against sql injection because the exploit is from a user or public inputed content only.
Your example is a select query there is no variable from outside so it is OK.
