ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

179

Instances found

Total Impact

40K

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $agent_map[$old_id] used in $wpdb->get_row("SELECT * from {$wpdb->prefix}psmsc_agents WHERE id = " . $agent_map[ $old_id ])\n$agent_map[$old_id] used without escaping.

Unescaped parameter $attachment->id used in $wpdb->query("DELETE FROM {$wpdb->prefix}psmsc_attachments WHERE id=" . $attachment->id)\n$attachment->id used without escaping.

Unescaped parameter $category->id used in $wpdb->get_results("SELECT * FROM {$wpdb->prefix}psmsc_threads WHERE \n\t\t\t\t\t(type = 'log') AND \n\t\t\t\t\tJSON_VALID(body) AND \n\t\t\t\t\tJSON_EXTRACT(body, '$.slug') = 'category' AND\n\t\t\t\t\t(\n\t\t\t\t\t\tJSON_UNQUOTE(JSON_EXTRACT(body, '$.new')) = '" . $category->id . "' OR\n\t\t\t\t\t\tJSON_UNQUOTE(JSON_EXTRACT(body, '$.prev')) = '" . $category->id . "'\n\t\t\t\t\t)")\n$category->id used without escaping.

Unescaped parameter $category->load_order used in $wpdb->get_var("SELECT id FROM {$wpdb->prefix}psmsc_categories WHERE load_order < {$category->load_order} ORDER BY load_order DESC LIMIT 1")\n$category->load_order used without escaping.

Unescaped parameter $cf->field used in $wpdb->get_var("SELECT max(load_order) FROM {$wpdb->prefix}psmsc_custom_fields WHERE field='{$cf->field}'")\n$cf->field used without escaping.

Affected Plugins

Plugins that have instances of this rule violation

SupportCandy – Helpdesk & Customer Support Ticket System

Fluent Support – Helpdesk & Customer Support Ticket System