ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

Instances found

Total Impact

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $column_name used in $wpdb->get_var($wpdb->prepare(\n\t\t\t\t"SELECT {$column_name} FROM {$wpdb->posts} WHERE ID=%d AND post_type=%s", \t\t\t\t$action_id,\n\t\t\t\tself::POST_TYPE\n\t\t\t))

Unescaped parameter $country_table used in $wpdb->get_row($wpdb->prepare( "SELECT `CNT_ISO`,`CNT_active` FROM {$country_table} WHERE `CNT_name` = %s OR `CNT_ISO` = %s OR `CNT_ISO3` = %s", $venue_country, $venue_country, $venue_country ))\n$country_table assigned unsafely at line 321:\n $country_table = $wpdb->prefix . 'esp_country'\n$state_table assigned unsafely at line 322:\n $state_table = $wpdb->prefix . 'esp_state'\n$venue_country assigned unsafely at line 299:\n $venue_country = isset( $venue_array['country'] ) ? sanitize_text_field( $venue_array['country'] ) : ''\nNote: sanitize_text_field() is not a safe escaping function.\n$cnt_country assigned unsafely at line 325:\n $cnt_country = $wpdb->get_row( $wpdb->prepare( "SELECT `CNT_ISO`,`CNT_active` FROM {$country_table} WHERE `CNT_name` = %s OR `CNT_ISO` = %s OR `CNT_ISO3` = %s", $venue_country, $venue_country, $venue_country ) )\n$venue_array['country'] used without escaping.

Affected Plugins

Plugins that have instances of this rule violation

Import Eventbrite Events

import-eventbrite-events

issues

installs

Unescaped parameter $event_meta_table used in $wpdb->get_var($wpdb->prepare( "SELECT `EVTM_ID` FROM {$event_meta_table} WHERE EVT_ID = %d", $inserted_event_id ))\n$event_meta_table assigned unsafely at line 149:\n $event_meta_table = $wpdb->prefix . 'esp_event_meta'\n$datetime_data assigned unsafely at line 151:\n $datetime_data = array(\n\t\t\t\t'EVT_ID' => $inserted_event_id,\n\t\t\t\t'DTT_EVT_start' => $event_start_date,\n\t\t\t\t'DTT_EVT_end' => $event_end_date,\n\t\t\t)\n$inserted_event_id assigned unsafely at line 113:\n $inserted_event_id = wp_insert_post( $emeventdata, true )\n$emeventdata assigned unsafely at line 99:\n $emeventdata = array(\n\t\t\t'post_title' => $post_title,\n\t\t\t'post_content' => $post_description,\n\t\t\t'post_type' => $this->event_posttype,\n\t\t\t'post_status' => 'pending',\n\t\t\t'post_author' => isset($event_args['event_author']) ? $event_args['event_author'] : get_current_user_id()\n\t\t)\n$event_args['event_author'] used without escaping.

Unescaped parameter $event_venue_table used in $wpdb->get_col($wpdb->prepare( "SELECT * FROM {$event_venue_table} WHERE EVT_ID = %d", $inserted_event_id ))\n$event_venue_table assigned unsafely at line 197:\n $event_venue_table = $wpdb->prefix . 'esp_event_venue'\n$result assigned unsafely at line 199:\n $result = $wpdb->get_col( $wpdb->prepare( "SELECT * FROM {$event_venue_table} WHERE EVT_ID = %d", $inserted_event_id ) )\n$inserted_event_id assigned unsafely at line 113:\n $inserted_event_id = wp_insert_post( $emeventdata, true )\n$emeventdata assigned unsafely at line 99:\n $emeventdata = array(\n\t\t\t'post_title' => $post_title,\n\t\t\t'post_content' => $post_description,\n\t\t\t'post_type' => $this->event_posttype,\n\t\t\t'post_status' => 'pending',\n\t\t\t'post_author' => isset($event_args['event_author']) ? $event_args['event_author'] : get_current_user_id()\n\t\t)\n$event_args['event_author'] used without escaping.

Unescaped parameter $insert_sql used in $wpdb->query($insert_sql)\n$insert_sql assigned unsafely at line 118:\n $insert_sql = $this->build_insert_sql( $data, $unique )\n$data assigned unsafely at line 100:\n $data = array(\n\t\t\t\t'hook' => $action->get_hook(),\n\t\t\t\t'status' => ( $action->is_finished() ? self::STATUS_COMPLETE : self::STATUS_PENDING ),\n\t\t\t\t'scheduled_date_gmt' => $this->get_scheduled_date_string( $action, $date ),\n\t\t\t\t'scheduled_date_local' => $this->get_scheduled_date_string_local( $action, $date ),\n\t\t\t\t'schedule' => serialize( $action->get_schedule() ), // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.serialize_serialize\n\t\t\t\t'group_id' => current( $this->get_group_ids( $action->get_group() ) ),\n\t\t\t\t'priority' => $action->get_priority(),\n\t\t\t)\n$unique used without escaping.\n$action used without escaping.\n$date used without escaping.