ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

Instances found

Total Impact

115K

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $guest_authors used in $wpdb->query($wpdb->prepare("DELETE FROM " . $guest_authors . " WHERE id = %d", $guest_id))\n$guest_authors assigned unsafely at line 512:\n $guest_authors = $wpdb->prefix . "wpa_guest_authors"\n$postmeta assigned unsafely at line 513:\n $postmeta = $wpdb->prefix . "postmeta"\n$dbpost assigned unsafely at line 515:\n $dbpost = $wpdb->query($wpdb->prepare("DELETE FROM " . $guest_authors . " WHERE id = %d", $guest_id))

Unescaped parameter $postmeta used in $wpdb->query($wpdb->prepare("DELETE FROM " . $postmeta . " WHERE meta_value = %s", 'guest-' . $guest_id))\n$postmeta assigned unsafely at line 513:\n $postmeta = $wpdb->prefix . "postmeta"\n$dbpost assigned unsafely at line 515:\n $dbpost = $wpdb->query($wpdb->prepare("DELETE FROM " . $guest_authors . " WHERE id = %d", $guest_id))\n$guest_authors assigned unsafely at line 512:\n $guest_authors = $wpdb->prefix . "wpa_guest_authors"

Unescaped parameter $query used in $wpdb->get_results($query)\n$query assigned unsafely at line 1282:\n $query = "SELECT user_id, user_login, display_name, user_email, user_url, user_registered, meta_key, meta_value FROM $wpdb->users, $wpdb->usermeta " .\r\n\t\t " WHERE " . $wpdb->users . ".ID = " . $wpdb->usermeta . ".user_id AND " . $blogs_condition . " AND user_status = 0" . $roleQuery\n$blogs_condition assigned unsafely at line 1265:\n $blogs_condition = "meta_key = '" . $wpdb->prefix . "capabilities'"\n$roleQuery assigned unsafely at line 1278:\n $roleQuery = ' AND(' . $roleQuery . ')'\n$roleQuery assigned unsafely at line 1275:\n $roleQuery .= $wpdb->prepare( $or . 'meta_value like %s', $role )\n$or assigned unsafely at line 1273:\n $or = ' or '\n$or assigned unsafely at line 1271:\n $or = ''\n$role assigned unsafely at line 1270:\n $role = '%' . $role . '%'

Affected Plugins

Plugins that have instances of this rule violation

Unescaped parameter $query used in $wpdb->get_results($query)\n$query assigned unsafely at line 1302:\n $query = "SELECT\r\n\t\t\t'-1' as user_id,\r\n\t\t\tcomment_author_email as 'user_login',\r\n\t\t\tcomment_author as 'display_name',\r\n\t\t\tcomment_author_email as 'user_email',\r\n\t\t\tcomment_author_url as'user_url',\r\n\t\t\tcomment_date as 'user_registered',\r\n\t\t\t'wp_capabilities' as 'meta_key',\r\n\t\t\t'" . serialize( array( 'Commentator' => true ) ) . "' as 'meta_value'\r\n\t\t\tFROM " . $wpdb->comments . "\r\n\t\t\tWHERE comment_author_email <> '' AND comment_approved = 1 AND comment_type NOT IN( 'trackback', 'pingback' )"