ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

Instances found

Total Impact

40K

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $q used in $wpdb->get_results($q)\n$q assigned unsafely at line 11:\n $q = "SHOW GLOBAL STATUS" . '/*' . index_wp_mysql_for_speed_querytag . rand( 0, 999999999 ) . '*/'\n$resultSet assigned unsafely at line 12:\n $resultSet = $wpdb->get_results( $q, ARRAY_N )

Unescaped parameter $q used in $wpdb->get_results($q)\n$q assigned unsafely at line 46:\n $q = "SELECT option_name FROM $wpdb->options WHERE option_name LIKE '" . $prefix . "%' AND LENGTH(option_value) > 0"

Unescaped parameter $query used in $wpdb->query($query)\n$query assigned unsafely at line 163:\n $query = $wpdb->prepare( $this->tagQuery( $query ), $name, $maxlength, $maxlength, $separator )\n$query assigned unsafely at line 158:\n $query = "INSERT INTO $wpdb->options (option_name, option_value, autoload)"\n . "VALUES (%s, @upload, 'no')"\n . "ON DUPLICATE KEY UPDATE option_value ="\n . "IF(%d > 0 AND LENGTH(option_value) <= %d - LENGTH(@upload),"\n . "CONCAT(option_value, %s, @upload), option_value)"\n$name used without escaping.\n$maxlength used without escaping.\n$separator used without escaping.

Affected Plugins

Plugins that have instances of this rule violation

Index WP MySQL For Speed

index-wp-mysql-for-speed

issues

40K

installs

Unescaped parameter $sql used in $wpdb->query($wpdb->prepare( $sql, $value ))\n$sql assigned unsafely at line 205:\n $sql = $this->tagQuery( $q )\n$q assigned unsafely at line 204:\n $q .= is_numeric( $value ) ? '%d' : '%s'\n$q assigned unsafely at line 203:\n $q = "SET SESSION $name="\n$name assigned unsafely at line 202:\n $name = sanitize_key( $name )\nNote: sanitize_key() is not a safe escaping function.