ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

Instances found

Total Impact

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $db_table used in $wpdb->get_results("SELECT * FROM {$wpdb->prefix}daexthrmal_$db_table $filter ORDER BY $db_primary_key DESC $query_limit")\n$db_table used without escaping.\n$filter assigned unsafely at line 200:\n $filter .= ')'\n$filter assigned unsafely at line 194:\n $filter .= $wpdb->prepare(\r\n\t\t\t\t\t$searchable_field . ' LIKE %s',\r\n\t\t\t\t\t'%' . $post_search_input . '%'\r\n\t\t\t\t)\n$db_primary_key assigned unsafely at line 235:\n $db_primary_key = sanitize_key( $db_primary_key )\nNote: sanitize_key() is not a safe escaping function.\n$query_limit assigned unsafely at line 232:\n $query_limit = $pag->query_limit()\n$total_items assigned unsafely at line 209:\n $total_items = $wpdb->get_var( "SELECT COUNT(*) FROM {$wpdb->prefix}daexthrmal_$db_table $filter" )\n$searchable_field assigned unsafely at line 191:\n $searchable_field = sanitize_key( $searchable_field )\n$pag assigned unsafely at line 222:\n $pag = new Daexthrmal_Pagination( $this->shared )

Unescaped parameter $db_table used in $wpdb->get_var("SELECT COUNT(*) FROM {$wpdb->prefix}daexthrmal_$db_table $filter")\n$db_table used without escaping.\n$filter assigned unsafely at line 200:\n $filter .= ')'\n$filter assigned unsafely at line 194:\n $filter .= $wpdb->prepare(\r\n\t\t\t\t\t$searchable_field . ' LIKE %s',\r\n\t\t\t\t\t'%' . $post_search_input . '%'\r\n\t\t\t\t)\n$total_items assigned unsafely at line 209:\n $total_items = $wpdb->get_var( "SELECT COUNT(*) FROM {$wpdb->prefix}daexthrmal_$db_table $filter" )\n$searchable_field assigned unsafely at line 191:\n $searchable_field = sanitize_key( $searchable_field )\nNote: sanitize_key() is not a safe escaping function.

Affected Plugins

Plugins that have instances of this rule violation

Hreflang Manager – Hreflang Implementation for International SEO

hreflang-manager-lite

issues

installs

Unescaped parameter $db_table_name used in $wpdb->get_row($wpdb->prepare(\r\n\t\t\t\t\t\t"SELECT * FROM $db_table_name WHERE $primary_key = %d",\r\n\t\t\t\t\t\t$edit_id\r\n\t\t\t\t\t))\n$db_table_name assigned unsafely at line 522:\n $db_table_name = $wpdb->prefix . 'daexthrmal_' . $this->db_table\nNote: sanitize_key() is not a safe escaping function.\n$primary_key assigned unsafely at line 525:\n $primary_key = sanitize_key( $this->primary_key )

Unescaped parameter $db_table_name used in $wpdb->query($wpdb->prepare( "DELETE FROM $db_table_name WHERE $primary_key = %d", $data['delete_id'] ))\n$db_table_name assigned unsafely at line 1137:\n $db_table_name = $wpdb->prefix . 'daexthrmal_' . $this->db_table\nNote: sanitize_key() is not a safe escaping function.\n$primary_key assigned unsafely at line 1140:\n $primary_key = sanitize_key( $this->primary_key )

Unescaped parameter $table_name used in $wpdb->get_row($wpdb->prepare(\r\n\t\t\t\t"SELECT * FROM $table_name WHERE $primary_key_name = %d",\r\n\t\t\t\t$primary_key_value\r\n\t\t\t))\n$table_name assigned unsafely at line 1332:\n $table_name = sanitize_key( $table_name )\nNote: sanitize_key() is not a safe escaping function.\n$table_name assigned unsafely at line 1327:\n $table_name = $wpdb->prefix . $this->shared->get( 'slug' ) . '_' . $table_name\n$primary_key_name assigned unsafely at line 1335:\n $primary_key_name = sanitize_key( $primary_key_name )