ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

Instances found

Total Impact

132K

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $deleted_media_sql used in $wpdb->get_results($deleted_media_sql)\n$deleted_media_sql assigned unsafely at line 11:\n $deleted_media_sql = 'SELECT * FROM ' . $wmh_deleted_media . ''\n$wmh_deleted_media assigned unsafely at line 10:\n $wmh_deleted_media = $wpdb->prefix . MH_PREFIX . 'deleted_media'

Unescaped parameter $error_log_sql used in $wpdb->get_results($error_log_sql)\n$error_log_sql assigned unsafely at line 9:\n $error_log_sql = 'SELECT * FROM ' . $wmh_error_log . ''\n$wmh_error_log assigned unsafely at line 8:\n $wmh_error_log = $wpdb->prefix.MH_PREFIX . 'error_log'

Unescaped parameter $metaQuery used in $wpdb->get_results($metaQuery)\n$metaQuery assigned unsafely at line 1012:\n $metaQuery = "SELECT comment_id, meta_key FROM $wpdb->commentmeta WHERE comment_id IN ( {$commentquery} ) AND ( {$metaWhere} )"\n$commentquery assigned unsafely at line 1005:\n $commentquery .= " AND ( $wpdb->comments.comment_date <= '{$delete_end_date} 23:59:59' )"\n$metaWhere assigned unsafely at line 1009:\n $metaWhere = $this->get_meta_where( $data )\n$delete_end_date assigned unsafely at line 981:\n $delete_end_date = ''\n$data used without escaping.\n$input_days assigned unsafely at line 974:\n $input_days = isset( $data['input_days'] ) ? esc_sql( $data['input_days'] ) : ''\n$delete_start_date assigned unsafely at line 981:\n $delete_start_date = $delete_end_date = ''\n$date_type assigned unsafely at line 973:\n $date_type = isset( $data['date_type'] ) ? esc_sql( $data['date_type'] ) : 'custom_date'

Affected Plugins

Plugins that have instances of this rule violation

Unescaped parameter $metaQuery used in $wpdb->get_results($metaQuery)\n$metaQuery assigned unsafely at line 1132:\n $metaQuery = "SELECT user_id, meta_key FROM $wpdb->usermeta WHERE user_id IN ( {$userquery} ) AND ( {$metaWhere} )"\n$userquery assigned unsafely at line 1124:\n $userquery .= " AND ( $wpdb->users.user_registered <= '{$delete_end_date} 23:59:59' )"\n$metaWhere assigned unsafely at line 1129:\n $metaWhere = $this->get_meta_where( $data )\n$delete_end_date assigned unsafely at line 1079:\n $delete_end_date = ''\n$data used without escaping.\n$input_days assigned unsafely at line 1072:\n $input_days = isset( $data['input_days'] ) ? esc_sql( $data['input_days'] ) : ''\n$delete_start_date assigned unsafely at line 1079:\n $delete_start_date = $delete_end_date = ''\n$date_type assigned unsafely at line 1071:\n $date_type = isset( $data['date_type'] ) ? esc_sql( $data['date_type'] ) : 'custom_date'

Unescaped parameter $metaQuery used in $wpdb->get_results($metaQuery)\n$metaQuery assigned unsafely at line 915:\n $metaQuery = "SELECT post_id, meta_key FROM $wpdb->postmeta WHERE post_id IN ( {$postquery} ) AND ( {$metaWhere} )"\n$postquery assigned unsafely at line 908:\n $postquery .= " AND ( $wpdb->posts.post_date <= '{$delete_end_date} 23:59:59' )"\n$metaWhere assigned unsafely at line 912:\n $metaWhere = $this->get_meta_where( $data )\n$delete_end_date assigned unsafely at line 893:\n $delete_end_date = ''\n$data used without escaping.\n$input_days assigned unsafely at line 886:\n $input_days = isset( $data['input_days'] ) ? esc_sql( $data['input_days'] ) : ''\n$delete_start_date assigned unsafely at line 893:\n $delete_start_date = $delete_end_date = ''\n$date_type assigned unsafely at line 885:\n $date_type = isset( $data['date_type'] ) ? esc_sql( $data['date_type'] ) : 'custom_date'