ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

Instances found

Total Impact

175K

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $_REQUEST['bulk_key'] used in $wpdb->get_var("SELECT COUNT(*) FROM {$this->table} WHERE bulk_key = '{$_REQUEST['bulk_key']}' AND user_id={$user_id} AND post_type='{$WPBE->settings->current_post_type}'")\n$_REQUEST['bulk_key'] used without escaping.\n$user_id assigned unsafely at line 410:\n $user_id = get_current_user_id()\n$WPBE->settings->current_post_type used without escaping.

Unescaped parameter $addtn_query used in $wpdb->get_results("\r\n\t\t\t\t\t\tSELECT posts.ID\r\n\t\t\t\t\t\tFROM $wpdb->posts AS posts\r\n\t\t\t\t\t\tLEFT JOIN $wpdb->postmeta AS postmeta ON ( posts.ID = postmeta.post_id )\r\n\t\t\t\t\t\tWHERE posts.post_type IN ('product','product_variation')\r\n\t\t\t\t\t\tAND postmeta.meta_key = '_sale_price'\r\n\t\t\t\t\t\tAND ( postmeta.meta_value = $woobe_sale_from $addtn_query )")\n$addtn_query assigned unsafely at line 552:\n $addtn_query = ' OR postmeta.meta_value = null'\n$addtn_query assigned unsafely at line 550:\n $addtn_query = ''\n$product_variations assigned unsafely at line 554:\n $product_variations = $wpdb->get_results("\r\n\t\t\t\t\t\tSELECT posts.ID\r\n\t\t\t\t\t\tFROM $wpdb->posts AS posts\r\n\t\t\t\t\t\tLEFT JOIN $wpdb->postmeta AS postmeta ON ( posts.ID = postmeta.post_id )\r\n\t\t\t\t\t\tWHERE posts.post_type IN ('product','product_variation')\r\n\t\t\t\t\t\tAND postmeta.meta_key = '_sale_price'\r\n\t\t\t\t\t\tAND ( postmeta.meta_value = $woobe_sale_from $addtn_query )", ARRAY_N)

Affected Plugins

Plugins that have instances of this rule violation

BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net

Unescaped parameter $addtn_query used in $wpdb->get_results("\r\n\t\t\t\t\t\tSELECT posts.ID\r\n\t\t\t\t\t\tFROM $wpdb->posts AS posts\r\n\t\t\t\t\t\tLEFT JOIN $wpdb->postmeta AS postmeta ON ( posts.ID = postmeta.post_id )\r\n\t\t\t\t\t\tWHERE posts.post_type IN ('product','product_variation')\r\n\t\t\t\t\t\tAND postmeta.meta_key = '_stock'\r\n\t\t\t\t\t\tAND postmeta.meta_value = $woobe_stock_quantity_from" . $addtn_query)\n$addtn_query assigned unsafely at line 486:\n $addtn_query = ' OR postmeta.meta_value = null'\n$addtn_query assigned unsafely at line 484:\n $addtn_query = ''\n$product_variations assigned unsafely at line 488:\n $product_variations = $wpdb->get_results("\r\n\t\t\t\t\t\tSELECT posts.ID\r\n\t\t\t\t\t\tFROM $wpdb->posts AS posts\r\n\t\t\t\t\t\tLEFT JOIN $wpdb->postmeta AS postmeta ON ( posts.ID = postmeta.post_id )\r\n\t\t\t\t\t\tWHERE posts.post_type IN ('product','product_variation')\r\n\t\t\t\t\t\tAND postmeta.meta_key = '_stock'\r\n\t\t\t\t\t\tAND postmeta.meta_value = $woobe_stock_quantity_from" . $addtn_query, ARRAY_N)

Unescaped parameter $bulk_key used in $wpdb->get_results("SELECT id FROM {$this->table} WHERE bulk_key='{$bulk_key}' AND user_id={$user_id} AND post_type='{$WPBE->settings->current_post_type}' LIMIT {$limit}")\n$bulk_key assigned unsafely at line 425:\n $bulk_key = $_REQUEST['bulk_key']\n$user_id assigned unsafely at line 427:\n $user_id = get_current_user_id()\n$WPBE->settings->current_post_type used without escaping.\n$_REQUEST['bulk_key'] used without escaping.

Unescaped parameter $bulk_key used in $wpdb->get_results("SELECT id FROM {$this->table} WHERE bulk_key='{$bulk_key}' AND user_id={$user_id} LIMIT {$limit}")\n$bulk_key assigned unsafely at line 479:\n $bulk_key = WOOBE_HELPER::sanitize_bulk_key($_REQUEST['bulk_key'])\n$user_id assigned unsafely at line 481:\n $user_id = get_current_user_id()\n$_REQUEST['bulk_key'] used without escaping.

Bulk Delete

bulk-delete

issues

30K

installs