Unescaped parameter $alterQuery used in $wpdb->query($alterQuery)\n$alterQuery assigned unsafely at line 813:\n $alterQuery = "ALTER TABLE {$mySqlTable} MODIFY COLUMN {$columnConfig['orig_header']} {$newType}"\n$mySqlTable assigned unsafely at line 812:\n $mySqlTable = substr($table->getTableContent(), strpos($table->getTableContent(), 'FROM') + 5)\n$columnConfig['orig_header'] used without escaping.\n$newType assigned unsafely at line 809:\n $newType = 'VARCHAR(255)'
Unescaped parameter $attach_id used in $wpdb->get_results("SELECT ID FROM {$wpdb->prefix}posts WHERE ID ='{$attach_id}' AND post_title ='image-failed' AND post_type = 'attachment' AND guid LIKE '%$image_title%'")\n$attach_id assigned unsafely at line 91:\n $attach_id = $attachment_id[0]['ID']\n$image_title assigned unsafely at line 71:\n $image_title=preg_replace('/\\\\.[^.\\\\s]{3,4}$/', '', $img_url)\n$attachment_id[0]['ID'] used without escaping.\n$img_url assigned unsafely at line 62:\n $img_url = urldecode($encodedurl)\n$encodedurl assigned unsafely at line 61:\n $encodedurl = urlencode($img_url)
Unescaped parameter $checkTableQuery used in $wpdb->get_results($checkTableQuery)\n$checkTableQuery assigned unsafely at line 75:\n $checkTableQuery = "SHOW TABLES LIKE '{$newName}'"\n$newName assigned unsafely at line 74:\n $newName = $tableData->mysql_table_name . '_' . $cnt\n$tableData->mysql_table_name used without escaping.
Affected Plugins
Plugins that have instances of this rule violation
Unescaped parameter $column_name used in $wpdb->get_var($wpdb->prepare(\n\t\t\t\t"SELECT {$column_name} FROM {$wpdb->posts} WHERE ID=%d AND post_type=%s", \t\t\t\t$action_id,\n\t\t\t\tself::POST_TYPE\n\t\t\t))
Unescaped parameter $columnsQuery used in $wpdb->get_results($columnsQuery)\n$columnsQuery assigned unsafely at line 224:\n $columnsQuery = $wpdb->prepare(\n 'SELECT * FROM ' . $wpdb->prefix . 'wpdatatables_columns\n WHERE table_id = %d ' . $qWhere . '\n ORDER BY pos',\n $params\n )\n$qWhere assigned unsafely at line 221:\n $qWhere = " AND orig_header IN ( $qWhere )"\n$qWhere assigned unsafely at line 216:\n $qWhere .= '%s'\n$params[] used without escaping.