ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

Instances found

Total Impact

20K

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $download_id used in $wpdb->get_results('SELECT * FROM ' . $wpdb->prefix . 'sdm_downloads WHERE post_id="' . $download_id . '" AND visitor_ip = "' . $ipaddress . '"')\n$download_id used without escaping.

Unescaped parameter $ipaddress used in $wpdb->get_results('SELECT * FROM ' . $wpdb->prefix . 'sdm_downloads WHERE post_id="' . $download_id . '" AND visitor_ip = "' . $ipaddress . '"')\n$ipaddress assigned unsafely at line 55:\n $ipaddress = sdm_get_ip_address()

Unescaped parameter $q used in $wpdb->get_results($q)\n$q assigned unsafely at line 209:\n $q = $wpdb->prepare(\n\t\t'SELECT COUNT(id) as cnt, visitor_name\n FROM ' . $wpdb->prefix . "sdm_downloads\n WHERE DATE_FORMAT(`date_time`,'%%Y-%%m-%%d')>=%s\n AND DATE_FORMAT(`date_time`,'%%Y-%%m-%%d')<=%s\n GROUP BY visitor_name \n\t\t\tORDER BY cnt DESC \n\t\t\tLIMIT $limit",\n\t\t$start_date,\n\t\t$end_date\n\t)\n$limit used without escaping.

Unescaped parameter $q used in $wpdb->get_results($q)\n$q assigned unsafely at line 237:\n $q = $wpdb->prepare(\n\t\t'SELECT COUNT(id) as cnt, post_title\n FROM ' . $wpdb->prefix . "sdm_downloads\n WHERE DATE_FORMAT(`date_time`,'%%Y-%%m-%%d')>=%s\n AND DATE_FORMAT(`date_time`,'%%Y-%%m-%%d')<=%s\n GROUP BY post_title \n ORDER BY cnt DESC LIMIT $limit",\n\t\t$start_date,\n\t\t$end_date\n\t)\n$limit used without escaping.

Affected Plugins

Plugins that have instances of this rule violation

Simple Download Monitor

simple-download-monitor

issues

20K

installs

Unescaped parameter $q used in $wpdb->get_results($q)\n$q assigned unsafely at line 41:\n $q = $wpdb->prepare( $q, $orderby, $order, $number )\n$q assigned unsafely at line 34:\n $q = 'SELECT posts.*, downloads.id, downloads.post_id, postmeta.*, (COUNT(downloads.post_id) + postmeta.meta_value) AS cnt'\n\t\t. ' FROM ' . $wpdb->prefix . 'posts as posts, ' . $wpdb->prefix . 'sdm_downloads as downloads, ' . $wpdb->prefix . 'postmeta as postmeta WHERE'\n\t\t. ' posts.id=downloads.post_id'\n\t\t. " AND (postmeta.meta_key='sdm_count_offset' AND postmeta.post_id=downloads.post_id)"\n\t\t. ' GROUP BY downloads.post_id'\n\t\t. ' ORDER BY cnt DESC, %s %s'\n\t\t. ' LIMIT %d;'\n$q assigned unsafely at line 31:\n $q = $wpdb->prepare( $q, $category_slug, $orderby, $order, $number )\n$q assigned unsafely at line 23:\n $q = 'SELECT posts.*, downloads.id, downloads.post_id, terms.*, termrel.*, postmeta.*, (COUNT(downloads.post_id) + postmeta.meta_value) AS cnt'\n\t\t. ' FROM ' . $wpdb->prefix . 'posts as posts, ' . $wpdb->prefix . 'sdm_downloads as downloads, ' . $wpdb->prefix . 'terms as terms, ' . $wpdb->prefix . 'term_relationships as termrel, ' . $wpdb->prefix . 'postmeta as postmeta WHERE'\n\t\t. ' posts.id=downloads.post_id'\n\t\t. " AND (postmeta.meta_key='sdm_count_offset' AND postmeta.post_id=downloads.post_id)"\n\t\t. ' AND (terms.slug= %s AND termrel.object_id=downloads.post_id AND termrel.term_taxonomy_id=terms.term_id)'\n\t\t. ' GROUP BY downloads.post_id'\n\t\t. ' ORDER BY cnt DESC, %s %s'\n\t\t. ' LIMIT %d;'\n$order used without escaping.\n$number used without escaping.\n$category_slug used without escaping.