ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

Instances found

Total Impact

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $adtable_name used in $wpdb->get_results($wpdb->prepare("SELECT * FROM $adtable_name WHERE status = '1' AND slot NOT IN (%d) ORDER BY RAND() LIMIT %d", $exclude, $setting_num_slots))\n$adtable_name assigned unsafely at line 131:\n $adtable_name = $wpdb->prefix . "wp125_ads"

Unescaped parameter $adtable_name used in $wpdb->get_results($wpdb->prepare("SELECT * FROM $adtable_name WHERE status = '1' AND slot NOT IN (%d) ORDER BY slot ASC", $exclude))\n$adtable_name assigned unsafely at line 131:\n $adtable_name = $wpdb->prefix . "wp125_ads"

Unescaped parameter $adtable_name used in $wpdb->get_results("SELECT * FROM $adtable_name WHERE status != '0' AND end_date != '00/00/0000' ORDER BY id DESC")\n$adtable_name assigned unsafely at line 12:\n $adtable_name = $wpdb->prefix . "wp125_ads"\n$ads assigned unsafely at line 13:\n $ads = $wpdb->get_results("SELECT * FROM $adtable_name WHERE status != '0' AND end_date != '00/00/0000' ORDER BY id DESC", OBJECT)

Unescaped parameter $adtable_name used in $wpdb->get_results("SELECT * FROM $adtable_name WHERE status != '0' ORDER BY id DESC")\n$adtable_name assigned unsafely at line 403:\n $adtable_name = $wpdb->prefix . "wp125_ads"\n$wp125db assigned unsafely at line 404:\n $wp125db = $wpdb->get_results("SELECT * FROM $adtable_name WHERE status != '0' ORDER BY id DESC", OBJECT)

Affected Plugins

Plugins that have instances of this rule violation

WP125

wp125

issues

installs

Unescaped parameter $adtable_name used in $wpdb->get_results("SELECT * FROM $adtable_name WHERE status != '0' ORDER BY id DESC")\n$adtable_name assigned unsafely at line 79:\n $adtable_name = $wpdb->prefix . "wp125_ads"\n$adtable_name assigned unsafely at line 52:\n $adtable_name = $wpdb->prefix . "wp125_ads"\n$adtable_name assigned unsafely at line 32:\n $adtable_name = $wpdb->prefix . "wp125_ads"\n$_GET['showmanage'] used without escaping.\n$wp125db assigned unsafely at line 83:\n $wp125db = $wpdb->get_results("SELECT * FROM $adtable_name WHERE status != '0' ORDER BY id DESC", OBJECT)\n$_GET['wp125_nonce_adstate'] used without escaping.