ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

Instances found

Total Impact

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $delivered_sql used in $wpdb->get_results($delivered_sql)\n$delivered_sql assigned unsafely at line 67:\n $delivered_sql = $wpdb->prepare($delivered_sql, $user_id)\n$delivered_sql assigned unsafely at line 66:\n $delivered_sql = $sql . " AND delivery_status = 'delivered' GROUP BY order_id"\n$user_id used without escaping.

Unescaped parameter $pending_sql used in $wpdb->get_results($pending_sql)\n$pending_sql assigned unsafely at line 64:\n $pending_sql = $wpdb->prepare($pending_sql, $user_id)\n$pending_sql assigned unsafely at line 63:\n $pending_sql = $sql . " AND delivery_status = 'pending' GROUP BY order_id"\n$user_id used without escaping.

Unescaped parameter $query used in $wpdb->get_results($query)\n$query assigned unsafely at line 964:\n $query = implode(' ', $query)\n$query assigned unsafely at line 963:\n $query = apply_filters('woocommerce_get_filtered_term_product_counts_query', $query)

Unescaped parameter $sql used in $wpdb->get_results($sql)\n$sql assigned unsafely at line 1030:\n $sql = $wpdb->prepare($sql, $message_to, $message_to, $message_to, $limit, $offset)\n$sql assigned unsafely at line 1029:\n $sql .= " OFFSET %d"\n$sql assigned unsafely at line 1028:\n $sql .= " LIMIT %d"\n$sql assigned unsafely at line 1027:\n $sql .= " ORDER BY wcfm_messages.`ID` DESC"\n$sql assigned unsafely at line 1024:\n $sql .= $vendor_filter\n$message_to assigned unsafely at line 1020:\n $message_to = apply_filters('wcfm_message_author', $user_id)\n$vendor_filter assigned unsafely at line 1023:\n $vendor_filter = " WHERE ( `author_id` = %s OR `message_to` = -1 OR `message_to` = %s )"\n$user_id used without escaping.

Affected Plugins

Plugins that have instances of this rule violation

MStore API – Create Native Android & iOS Apps On The Cloud

mstore-api

issues

installs

Unescaped parameter $sql used in $wpdb->get_results($sql)\n$sql assigned unsafely at line 103:\n $sql = $wpdb->prepare($sql,$user_id )\n$sql assigned unsafely at line 101:\n $sql = $wpdb->prepare($sql,$user_id,$order_id)\n$sql assigned unsafely at line 100:\n $sql .= " AND order_id = %s"\n$sql assigned unsafely at line 97:\n $sql .= " AND is_trashed = 0"\n$user_id used without escaping.\n$order_id assigned unsafely at line 98:\n $order_id = sanitize_text_field($request['id'])\nNote: sanitize_text_field() is not a safe escaping function.\n$request['id'] used without escaping.