UnescapedDBParameter

Unescaped parameter $query used in $wpdb->get_results($query)\n$query assigned unsafely at line 333:\n $query = $wpdb->prepare( $sql, $params )\n$sql assigned unsafely at line 331:\n $sql = apply_filters( 'irecommendthis_top_posts_sql', $sql, $params, $atts )\n$sql assigned unsafely at line 317:\n $sql .= ' AND p.post_type = %s'\n$params assigned unsafely at line 318:\n $params[] = $post_type\n$atts used without escaping.\n$post_type assigned unsafely at line 284:\n $post_type = sanitize_text_field( $atts['post_type'] )\nNote: sanitize_text_field() is not a safe escaping function.\n$atts['post_type'] used without escaping.

Unescaped parameter $sql used in $wpdb->get_results($sql)\n$sql assigned unsafely at line 248:\n $sql = apply_filters(\n\t\t\t'irecommendthis_widget_query',\n\t\t\t$wpdb->prepare(\n\t\t\t\t"SELECT p.ID, p.post_title, pm.meta_value AS meta_value\n\t\t\t\tFROM {$wpdb->posts} p\n\t\t\t\tINNER JOIN {$wpdb->postmeta} pm ON p.ID = pm.post_id\n\t\t\t\tWHERE p.post_status = 'publish'\n\t\t\t\tAND p.post_type = 'post'\n\t\t\t\tAND pm.meta_key = '_recommended'\n\t\t\t\tORDER BY CAST(pm.meta_value AS UNSIGNED) DESC\n\t\t\t\tLIMIT %d",\n\t\t\t\t$number_of_posts\n\t\t\t),\n\t\t\t$number_of_posts\n\t\t)