ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

Instances found

Total Impact

30K

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $safe_sql used in $wpdb->get_results($safe_sql)\n$safe_sql assigned unsafely at line 102:\n $safe_sql = $wpdb->prepare( $sql, absint( $contestant_raw->id ), absint( $_POST['giveaway_id'] ) )\n$sql assigned unsafely at line 101:\n $sql = "SELECT DISTINCT action_id,count(id) as count, created_at, CONVERT_TZ(`created_at`, @@session.time_zone, '+00:00') AS `utc_datetime` FROM $tablename WHERE contestant_id = %d AND action_id IS NOT NULL AND giveaway_id = %d GROUP BY action_id ORDER BY created_at DESC"\n$tablename assigned unsafely at line 100:\n $tablename = $wpdb->prefix . 'rafflepress_entries'

Unescaped parameter $safe_sql used in $wpdb->get_results($safe_sql)\n$safe_sql assigned unsafely at line 163:\n $safe_sql = $wpdb->prepare( $sql, $giveaway->id )\n$sql assigned unsafely at line 162:\n $sql = "SELECT email,fname,lname FROM $tablename WHERE giveaway_id = %d AND winner = 1"\n$tablename assigned unsafely at line 161:\n $tablename = $wpdb->prefix . 'rafflepress_contestants'

Unescaped parameter $safe_sql used in $wpdb->get_results($safe_sql)\n$safe_sql assigned unsafely at line 22:\n $safe_sql = $wpdb->prepare( $sql, absint( $contestant_id ), $comment_label, absint( $_POST['giveaway_id'] ) )\n$sql assigned unsafely at line 21:\n $sql = "SELECT created_at , action_id, meta , CONVERT_TZ(`created_at`, @@session.time_zone, '+00:00') AS `utc_datetime` FROM $tablename WHERE contestant_id = %d AND meta like %s AND action_id IS NOT NULL AND giveaway_id = %d GROUP BY created_at ORDER BY created_at DESC"\n$tablename assigned unsafely at line 20:\n $tablename = $wpdb->prefix . 'rafflepress_entries'

Affected Plugins

Plugins that have instances of this rule violation

Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers

Unescaped parameter $safe_sql used in $wpdb->get_results($safe_sql)\n$safe_sql assigned unsafely at line 398:\n $safe_sql = $wpdb->prepare( $sql, $contestant['id'], $giveaway_id )\n$sql assigned unsafely at line 397:\n $sql = "SELECT DISTINCT action_id,count(id) as count, created_at, CONVERT_TZ(`created_at`, @@session.time_zone, '+00:00') AS `utc_datetime` FROM $tablename WHERE contestant_id = %d AND action_id IS NOT NULL AND giveaway_id = %d GROUP BY action_id ORDER BY created_at DESC"\n$tablename assigned unsafely at line 396:\n $tablename = $wpdb->prefix . 'rafflepress_entries'

Unescaped parameter $safe_sql used in $wpdb->get_results($safe_sql)\n$safe_sql assigned unsafely at line 426:\n $safe_sql = $wpdb->prepare( $sql, $contestant_id, $giveaway_id )\n$sql assigned unsafely at line 425:\n $sql = "SELECT DISTINCT action_id,count(id) as count, created_at, CONVERT_TZ(`created_at`, @@session.time_zone, '+00:00') AS `utc_datetime` FROM $tablename WHERE contestant_id = %d AND action_id IS NOT NULL AND giveaway_id = %d GROUP BY action_id ORDER BY created_at DESC"\n$tablename assigned unsafely at line 423:\n $tablename = $wpdb->prefix . 'rafflepress_entries'