Unescaped parameter $alter_sql used in $wpdb->query($alter_sql)\n$alter_sql assigned unsafely at line 690:\n $alter_sql = sprintf('ALTER TABLE `%s` %s;', $table_name, implode(', ', $columns_to_add))\n$table_name assigned unsafely at line 664:\n $table_name => \n$all_existing_tables assigned unsafely at line 656:\n $all_existing_tables[] = $new_table_name
Unescaped parameter $columns used in $wpdb->get_results("SELECT ".$columns." FROM `".$table_name."`;")\n$columns used without escaping.
Unescaped parameter $cond used in $wpdb->get_results("SELECT ipaddr,time,notifyto,posted_data FROM ".$wpdb->prefix.$this->table_messages." WHERE 1=1 ".$cond." ORDER BY `time` DESC")\n$cond assigned unsafely at line 58:\n $cond .= " AND (`time` <= '".esc_sql($date_end)." 23:59:59')"\n$cond assigned unsafely at line 53:\n $cond .= " AND (`time` >= '".esc_sql( $date_start )."')"\n$rawto assigned unsafely at line 45:\n $rawto = str_replace('/','.',$rawto)\n$rawto assigned unsafely at line 41:\n $rawto = (isset($_GET["dto"]) ? sanitize_text_field($_GET["dto"]) : '')\nNote: sanitize_text_field() is not a safe escaping function.\n$date_end assigned unsafely at line 57:\n $date_end = date("Y-m-d",strtotime($rawto))\n$_GET["dto"] used without escaping.
Affected Plugins
Plugins that have instances of this rule violation
Unescaped parameter $count_query used in $wpdb->get_var($count_query)\n$count_query assigned unsafely at line 238:\n $count_query = "SELECT count(*) FROM {$this->wpdb->prefix}ea_meta_fields"
Unescaped parameter $cp_appb_plugin->table_items used in $wpdb->get_results("SELECT id,form_name FROM ".$wpdb->prefix.$cp_appb_plugin->table_items." ORDER BY form_name")\n$cp_appb_plugin->table_items used without escaping.