ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

261

Instances found

Total Impact

45K

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $badge_filter used in $wpdb->get_var($wpdb->prepare( \n\t\t\t\t\t\t"SELECT COUNT( DISTINCT user_id ) FROM %i WHERE meta_key = %s {$badge_filter};",\n\t\t\t\t\t\t$wpdb->usermeta,\n\t\t\t\t\t\tmycred_get_meta_key( $this->user_meta_key ) \n\t\t\t\t\t))\n$badge_filter assigned unsafely at line 120:\n $badge_filter = ( $badge_id !== NULL && is_numeric( $badge_id ) ) ? $wpdb->prepare( "AND meta_value = %s", $badge_id ) : ''\n$count assigned unsafely at line 122:\n $count = $wpdb->get_var( \n\t\t\t\t\t$wpdb->prepare( \n\t\t\t\t\t\t"SELECT COUNT( DISTINCT user_id ) FROM %i WHERE meta_key = %s {$badge_filter};",\n\t\t\t\t\t\t$wpdb->usermeta,\n\t\t\t\t\t\tmycred_get_meta_key( $this->user_meta_key ) \n\t\t\t\t\t) \n\t\t\t\t)

Unescaped parameter $balance_format used in $wpdb->query($wpdb->prepare( "\n\t\t\t\t\tUPDATE {$wpdb->usermeta} ranks \n\t\t\t\t\t\tINNER JOIN {$wpdb->usermeta} balance ON ( ranks.user_id = balance.user_id AND balance.meta_key = %s )\n\t\t\t\t\tSET ranks.meta_value = %d \n\t\t\t\t\tWHERE ranks.meta_key = %s \n\t\t\t\t\t\tAND balance.meta_value BETWEEN {$balance_format} AND {$balance_format};", $balance_key, $rank->post_id, $rank_key, $rank->minimum, $rank->maximum ))\n$balance_format assigned unsafely at line 511:\n $balance_format = ( isset( $type_object->sql_format ) ) ? $type_object->sql_format : '%d'\n$type_object->sql_format used without escaping.

Affected Plugins

Plugins that have instances of this rule violation

Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers

myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program.

mycred