ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

Instances found

Total Impact

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $preparedQuery used in $wpdb->get_row($preparedQuery)\n$preparedQuery assigned unsafely at line 47:\n $preparedQuery = $wpdb->prepare("DESCRIBE $table %s", $column_name)\n$table assigned unsafely at line 16:\n $table = $wpdb->prefix . 'fbs_board_terms'\n$isForced used without escaping.\n$sql assigned unsafely at line 23:\n $sql = "CREATE TABLE $table (\n `id` INT UNSIGNED NOT NULL PRIMARY KEY AUTO_INCREMENT,\n `board_id` INT UNSIGNED NOT NULL,\n `title` VARCHAR(100) NULL COMMENT 'Title of the stage or label. Incase of label tile can be null with color only',\n `slug` VARCHAR(100) NULL COMMENT 'Slug of the stage or label',\n `type` VARCHAR(50) NOT NULL DEFAULT 'stage' COMMENT 'stage or label',\n `position` decimal(10,2) NOT NULL DEFAULT '1' COMMENT 'Position of the stage or label. 1 = first, 2 = second, etc.',\n `color` VARCHAR(50) NULL COMMENT 'Text Color of the stage or label',\n `bg_color` VARCHAR(50) NULL COMMENT 'Background Color of the stage or label',\n `settings` TEXT NULL COMMENT 'Serialized Settings',\n `archived_at` TIMESTAMP NULL,\n `created_at` TIMESTAMP NULL,\n `updated_at` TIMESTAMP NULL,\n KEY `title` (`title`),\n KEY `type` (`type`),\n KEY `position` (`position`),\n KEY `slug` (`slug`)\n ) $charsetCollate;"

Affected Plugins

Plugins that have instances of this rule violation

FluentBoards – Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration

fluent-boards

issues

installs

Unescaped parameter $preparedQuery used in $wpdb->get_row($preparedQuery)\n$preparedQuery assigned unsafely at line 65:\n $preparedQuery = $wpdb->prepare("DESCRIBE $table %s", $column_name)\n$table assigned unsafely at line 18:\n $table = $wpdb->prefix . 'fbs_tasks'\n$isForced used without escaping.\n$sql assigned unsafely at line 23:\n $sql = "CREATE TABLE $table (\n `id` INT UNSIGNED NOT NULL PRIMARY KEY AUTO_INCREMENT,\n `parent_id` INT UNSIGNED NULL COMMENT 'Parent task_id if Subtask',\n `board_id` INT UNSIGNED NULL,\n `crm_contact_id` BIGINT UNSIGNED NULL COMMENT 'User ID, Contact ID, Deal ID, Subscriber ID etc.',\n `title` TEXT NULL COMMENT 'Title or Name of the Task , It can be longer than 255 characters.',\n `slug` VARCHAR(255) NULL,\n `type` VARCHAR(50) NULL COMMENT 'task, deal, idea, to-do etc.',\n `status` VARCHAR(50) NULL DEFAULT 'open' COMMENT 'open, completed, for Boards, Won or Lost for Pipelines',\n `stage_id` INT UNSIGNED NULL,\n `source` VARCHAR(50) NULL DEFAULT 'web' COMMENT 'web, funnel, contact-section etc.',\n `source_id` VARCHAR(255) NULL,\n `priority` VARCHAR(50) NULL DEFAULT 'low' COMMENT 'low, medium, high', \n `description` LONGTEXT NULL,\n `lead_value` DECIMAL(10,2) DEFAULT 0.00,\n `created_by` BIGINT UNSIGNED NULL,\n `position` decimal(10,2) NOT NULL DEFAULT '1' COMMENT 'Position of the stage or label. 1 = first, 2 = second, etc.',\n `comments_count` INT UNSIGNED NULL DEFAULT 0,\n `issue_number` INT UNSIGNED NULL COMMENT 'Board Specific Issue Number to track the task',\n `reminder_type` VARCHAR(100) NULL DEFAULT 'none',\n `settings` TEXT NULL COMMENT 'Serialized',\n `remind_at` TIMESTAMP NULL,\n `started_at` TIMESTAMP NULL,\n `due_at` TIMESTAMP NULL,\n `last_completed_at` TIMESTAMP NULL,\n `archived_at` TIMESTAMP NULL,\n `created_at` TIMESTAMP NULL,\n `updated_at` TIMESTAMP NULL,\n KEY `type` (`type`),\n KEY `board_id` (`board_id`),\n KEY `slug` (`slug`),\n KEY `comments_count` (`comments_count`),\n KEY `issue_number` (`issue_number`),\n KEY `crm_contact_id` (`crm_contact_id`),\n KEY `due_at` (`due_at`),\n KEY `priority` (`priority`)\n ) $charsetCollate;"

Unescaped parameter $sql used in $wpdb->query($sql)\n$sql assigned unsafely at line 113:\n $sql = "ALTER TABLE $table ADD $column_name TEXT NULL COMMENT 'serialize array' AFTER `created_by`"\n$table assigned unsafely at line 97:\n $table = $wpdb->prefix . 'fbs_comments'\n$table assigned unsafely at line 75:\n $table = $wpdb->prefix . 'fbs_board_terms'\n$column_name assigned unsafely at line 103:\n $column_name = 'settings'\n$column_name assigned unsafely at line 82:\n $column_name = 'position'\n$column_exists assigned unsafely at line 106:\n $column_exists = $wpdb->get_var($wpdb->prepare(\n // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared, WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching -- Table name cannot be prepared, schema check, caching not applicable\n "SHOW COLUMNS FROM $table LIKE %s", $column_name\n ))\n$preparedQuery assigned unsafely at line 84:\n $preparedQuery = $wpdb->prepare("DESCRIBE $table %s", $column_name)

Unescaped parameter $sql used in $wpdb->query($sql)\n$sql assigned unsafely at line 51:\n $sql = $wpdb->prepare(\n // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared -- Table name and column name cannot be prepared\n "ALTER TABLE $table MODIFY $column_name decimal(10,2) NOT NULL DEFAULT '1' COMMENT 'Position: 1 = top/first, 2 = second/second in top, etc.';"\n )\n$table assigned unsafely at line 16:\n $table = $wpdb->prefix . 'fbs_board_terms'\n$column_name assigned unsafely at line 45:\n $column_name = 'position'\n$isForced used without escaping.\n$preparedQuery assigned unsafely at line 47:\n $preparedQuery = $wpdb->prepare("DESCRIBE $table %s", $column_name)