ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

Instances found

Total Impact

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $complexBox[$intA]->id used in $wpdb->query($wpdb->prepare("UPDATE {$wpdb->joomsport_box_match} SET ".('boxfield_'.$complexBox[$intA]->id)." = %s WHERE id=%d",array($field,$val,$boxm[$intB]->id)))\n$complexBox[$intA]->id used without escaping.

Unescaped parameter $events_idsS used in $wpdb->query($wpdb->prepare(\n 'UPDATE '.$wpdb->joomsport_playerlist.' as pl '\n . ' JOIN (SELECT ROUND(AVG(me.ecount),3) as esum, me.player_id,me.t_id,me.season_id'\n .' FROM '.$wpdb->joomsport_match_events.' as me'\n .' JOIN '.$wpdb->joomsport_matches.' as p ON p.postID=me.match_id AND p.status="1"'\n .' WHERE me.e_id IN ('.$events_idsS.')'\n ." AND me.season_id = %d"\n .' GROUP BY me.player_id,me.t_id) as fk'\n . ' ON pl.player_id=fk.player_id AND pl.team_id=fk.t_id AND fk.season_id=pl.season_id'\n . ' SET pl.'.$tblCOl.' = fk.esum',\n array($this->season_id)\n ))\n$events_idsS assigned unsafely at line 1692:\n $events_idsS = implode(',', $events_ids)\n$events_ids assigned unsafely at line 1689:\n $events_ids = json_decode($event->subevents, true)\n$event->subevents used without escaping.

Affected Plugins

Plugins that have instances of this rule violation

JoomSport – for Sports: Team & League, Football, Hockey & more

joomsport-sports-league-results-management

issues

installs

Unescaped parameter $events_idsS used in $wpdb->query($wpdb->prepare(\n 'UPDATE '.$wpdb->joomsport_playerlist.' as pl '\n . ' JOIN (SELECT SUM(me.ecount) as esum, me.player_id,me.t_id,me.season_id'\n .' FROM '.$wpdb->joomsport_match_events.' as me'\n .' JOIN '.$wpdb->joomsport_matches.' as p ON p.postID=me.match_id AND p.status="1"'\n .' WHERE me.e_id IN ('.$events_idsS.')'\n ." AND me.season_id = %d"\n .' GROUP BY me.player_id,me.t_id) as fk'\n . ' ON pl.player_id=fk.player_id AND pl.team_id=fk.t_id AND fk.season_id=pl.season_id'\n . ' SET pl.'.$tblCOl.' = fk.esum',\n array($this->season_id)\n ))\n$events_idsS assigned unsafely at line 1692:\n $events_idsS = implode(',', $events_ids)\n$events_ids assigned unsafely at line 1689:\n $events_ids = json_decode($event->subevents, true)\n$event->subevents used without escaping.

Unescaped parameter $events_idsS used in $wpdb->query($wpdb->prepare(\n 'UPDATE '.$wpdb->joomsport_playerlist.' as pl '\n . ' JOIN (SELECT ROUND(AVG(me.ecount),3) as esum, me.player_id,me.season_id'\n .' FROM '.$wpdb->joomsport_match_events.' as me'\n .' JOIN '.$wpdb->joomsport_matches.' as p ON p.postID=me.match_id AND p.status="1"'\n .' WHERE me.e_id IN ('.$events_idsS.')'\n ." AND me.season_id = %d"\n .' GROUP BY me.player_id) as fk'\n . ' ON pl.player_id=fk.player_id AND fk.season_id=pl.season_id'\n . ' SET pl.'.$tblCOl.' = fk.esum',\n array($this->season_id)\n ))\n$events_idsS assigned unsafely at line 1506:\n $events_idsS = implode(',', $events_ids)\n$events_ids assigned unsafely at line 1503:\n $events_ids = json_decode($event->subevents,true)\n$event->subevents used without escaping.

Unescaped parameter $events_idsS used in $wpdb->query($wpdb->prepare(\n 'UPDATE '.$wpdb->joomsport_playerlist.' as pl '\n . ' JOIN (SELECT SUM(me.ecount) as esum, me.player_id,me.season_id'\n .' FROM '.$wpdb->joomsport_match_events.' as me'\n .' JOIN '.$wpdb->joomsport_matches.' as p ON p.postID=me.match_id AND p.status="1"'\n .' WHERE me.e_id IN ('.$events_idsS.')'\n ." AND me.season_id = %d"\n .' GROUP BY me.player_id) as fk'\n . ' ON pl.player_id=fk.player_id AND fk.season_id=pl.season_id'\n . ' SET pl.'.$tblCOl.' = fk.esum',\n array($this->season_id)\n ))\n$events_idsS assigned unsafely at line 1506:\n $events_idsS = implode(',', $events_ids)\n$events_ids assigned unsafely at line 1503:\n $events_ids = json_decode($event->subevents,true)\n$event->subevents used without escaping.