ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

Instances found

Total Impact

95K

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $posts used in $wpdb->get_col(sprintf( "SELECT meta_value FROM {$wpdb->postmeta} WHERE meta_key = '_thumbnail_id' AND post_id IN(%s)", implode(',', $posts) ))\n$posts assigned unsafely at line 92:\n $posts = array_filter( $wpdb->get_col( $query ) )\n$query used without escaping.

Unescaped parameter $q used in $wpdb->get_results($q)\n$q assigned unsafely at line 197:\n $q = sprintf( "SELECT post_id, meta_key, meta_value FROM {$wpdb->postmeta} WHERE meta_key IN('_wp_attached_file', '_wp_attachment_metadata') AND post_id IN(%s)", implode( ',', $chunk ) )\n$chunk assigned unsafely at line 195:\n $chunk = array_slice( $attachment_ids, $i * 1000, 1000 )\n$attachment_ids assigned unsafely at line 192:\n $attachment_ids = array_keys( $attachments )\n$attachments used without escaping.

Unescaped parameter $query used in $wpdb->get_col($query)\n$query used without escaping.

Affected Plugins

Plugins that have instances of this rule violation

Export media with selected content

export-media-with-selected-content

issues

50K

installs

Lightbox with PhotoSwipe

lightbox-photoswipe

issues

20K

installs

Unescaped parameter $sql used in $wpdb->get_results($sql)\n$sql assigned unsafely at line 41:\n $sql = "(" . $sql . ") union (select ID from " . $wpdb->posts . " where post_parent in (select ID from " . $wpdb->posts . " where post_parent = " . absint( $topic_id ) . " and post_type = 'reply') and post_type = 'attachment')"\n$sql assigned unsafely at line 38:\n $sql = "select ID from " . $wpdb->posts . " where post_parent = " . $topic_id . " and post_type = 'attachment'"\n$topic_id used without escaping.