ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

Instances found

Total Impact

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $ip used in $wpdb->get_results("DELETE FROM {$this->table} WHERE ip = '{$ip}'")\n$ip assigned unsafely at line 126:\n $ip = addslashes($ip)\nNote: addslashes() is not a safe escaping function.

Unescaped parameter $ip used in $wpdb->get_results("DELETE FROM {$this->table} WHERE ip = '{$ip}'")\n$ip assigned unsafely at line 145:\n $ip = addslashes($ip)\nNote: addslashes() is not a safe escaping function.

Unescaped parameter $sql used in $wpdb->get_results($sql)\n$sql assigned unsafely at line 104:\n $sql = sprintf("SELECT max(id) AS id FROM %s WHERE wp_id = '%d';", $table, $wpUserId)\n$table assigned unsafely at line 103:\n $table = WiseChatInstaller::getUsersTable()

Unescaped parameter $sql used in $wpdb->get_results($sql)\n$sql assigned unsafely at line 107:\n $sql = sprintf('SELECT * FROM %s WHERE name = "%s";', $table, $name)\n$table assigned unsafely at line 106:\n $table = WiseChatInstaller::getChannelsTable()

Unescaped parameter $sql used in $wpdb->get_results($sql)\n$sql assigned unsafely at line 110:\n $sql = sprintf(\r\n\t\t\t'UPDATE %s SET user = "%s" WHERE %s;', $this->table, $userName, implode(" AND ", $conditions)\r\n\t\t)\n$userName assigned unsafely at line 108:\n $userName = addslashes($userName)\nNote: addslashes() is not a safe escaping function.

Affected Plugins

Plugins that have instances of this rule violation