php - Is SQL injection not possible if only one result is displayed on the page? -

php - Is SQL injection not possible if only one result is displayed on the page? -

i'm doing sql injection project security module in college, , i'm trying larn how works.

i can see how works when script doesn't filter input, , loops on db result set, displaying info on screen. far can tell, next code not susceptible sql injection, expecting display single set of values on screen:

<?php mysql_connect("localhost", "root", ""); mysql_select_db("testdb"); $result = mysql_query("select id, name, description test_table id = ".$_get['id']); list($id, $name, $description) = mysql_fetch_row($result); echo "id: $id \n"; echo "name: $name \n"; echo "description: $description \n"; ?>

if set value of id to:

1 or 1 = 1 union select id, username, password users limit 1, 1 --

the values union part of query not displayed, unless run mysql_fetch_row($result) statement twice, so:

<?php $result = mysql_query("select id, name, description test_table id = ".$_get['id']); list($id, $name, $description) = mysql_fetch_row($result); echo "id: $id \n"; echo "name: $name \n"; echo "description: $description \n"; list($id, $name, $description) = mysql_fetch_row($result); echo "id: $id \n"; echo "name: $name \n"; echo "description: $description \n"; ?>

only values union part of statement displayed, (i.e. username, password).

if knows thing or 2 this, can confirm right in saying above code not susceptible sql injection, expecting display single set of values on screen.

please right me if i'm wrong.

thanks help.

an attacker set id this:

1 , false union select id, username, password users username="carl" limit 1, 1 --

...and carl's relevant information. repeat process usernames (or ids) , still lot of info shouldn't get. take longer.

therefore can not querying 1 row makes sql injection "less dangerous".

php mysql security sql-injection