Unescaped parameter $sql used in $wpdb->get_results($sql)\n$sql assigned unsafely at line 69:\n $sql = $wpdb->prepare( "SELECT * FROM $table_name WHERE id = %d", $id )\n$table_name assigned unsafely at line 53:\n $table_name = $wpdb->prefix . 'word_balloon'\n$name assigned unsafely at line 21:\n $name = sanitize_text_field( esc_textarea( $_POST['name'] ) )\nNote: sanitize_text_field() is not a safe escaping function.\n$text assigned unsafely at line 22:\n $text = sanitize_text_field( esc_textarea( $_POST['text'] ) )\n$url assigned unsafely at line 38:\n $url = $return_data['url']\n$_POST['name'] used without escaping.\n$_POST['text'] used without escaping.\n$return_data['url'] used without escaping.
Unescaped parameter $sql used in $wpdb->query($sql)\n$sql assigned unsafely at line 16:\n $sql = "DROP TABLE IF EXISTS $table_name"\n$table_name assigned unsafely at line 15:\n $table_name = $wpdb->prefix . 'word_balloon'
Unescaped parameter $table_name used in $wpdb->get_results("SELECT * FROM $table_name")\n$table_name assigned unsafely at line 159:\n $table_name = $wpdb->prefix . 'word_balloon'\n$data assigned unsafely at line 161:\n $data = $wpdb->get_results("SELECT * FROM $table_name", 'ARRAY_A')
Affected Plugins
Plugins that have instances of this rule violation
Unescaped parameter $table_name used in $wpdb->get_results("SELECT * FROM $table_name")\n$table_name assigned unsafely at line 176:\n $table_name = $wpdb->prefix . 'word_balloon'\n$array assigned unsafely at line 177:\n $array = $wpdb->get_results("SELECT * FROM $table_name", 'ARRAY_A')
Unescaped parameter $table_name used in $wpdb->get_results("SELECT * FROM $table_name")\n$table_name assigned unsafely at line 6:\n $table_name = $wpdb->prefix . 'word_balloon'\n$array assigned unsafely at line 7:\n $array = $wpdb->get_results("SELECT * FROM $table_name", 'ARRAY_A')