WHERE condition is optional in a
SELECT statement, for performance and security reasons, a
WHERE clause should always be specified to prevent reading the whole table.
Ask Yourself Whether
- The whole table is not required.
- The table contains sensitive information.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
Add a "WHERE" condition to "SELECT" statements.
Sensitive Code Example
SELECT * FROM db_persons INTO us_persons.
SELECT * FROM db_persons INTO us_persons WHERE country IS 'US'.
SELECT SINGLE and
UP TO 1 ROWS result in only one record being read, so such
SELECTs are ignored by this
SELECT SINGLE * FROM db_persons INTO us_persons.
SELECT * FROM db_persons UP TO 1 ROWS INTO us_persons.