ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

Instances found

Total Impact

20K

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $days used in $wpdb->get_results("SELECT `terms`,\n\t\t\tSUM( `count` ) AS countsum,\n\t\t\tSUBSTRING( MAX( CONCAT( `date` , ' ', `last_hits` ) ) , 12 ) AS hits\n\t\tFROM `{$wpdb->prefix}searchmeter`\n\t\tWHERE DATE_SUB( CURDATE( ) , INTERVAL $days DAY ) <= `date`\n\t\tGROUP BY `terms`\n\t\t$hits_selector\n\t\tORDER BY countsum DESC, `terms` ASC\n\t\tLIMIT 20")\n$days used without escaping.

Unescaped parameter $filter_term used in $wpdb->get_results("SELECT `terms`, MAX(`datetime`) `maxdatetime`\n\t\tFROM `{$wpdb->prefix}searchmeter_recent`\n\t\tWHERE 0 < `hits`\n\t\t{$filter_term}\n\t\tGROUP BY `terms`\n\t\tORDER BY `maxdatetime` DESC\n\t\tLIMIT $count")\n$filter_term assigned unsafely at line 112:\n $filter_term = ($escaped_filter_regex == "" ? "" : "AND NOT `terms` REGEXP '{$escaped_filter_regex}'")\n$escaped_filter_regex assigned unsafely at line 111:\n $escaped_filter_regex = sm_get_escaped_filter_regex()

Unescaped parameter $filter_term used in $wpdb->get_results("SELECT `terms`, SUM(`count`) AS countsum\n\t\tFROM `{$wpdb->prefix}searchmeter`\n\t\tWHERE DATE_SUB( UTC_DATE( ) , INTERVAL 30 DAY ) <= `date`\n\t\tAND 0 < `last_hits`\n\t\t{$filter_term}\n\t\tGROUP BY `terms`\n\t\tORDER BY countsum DESC, `terms` ASC\n\t\tLIMIT $count")\n$filter_term assigned unsafely at line 69:\n $filter_term = ($escaped_filter_regex == "" ? "" : "AND NOT `terms` REGEXP '{$escaped_filter_regex}'")\n$escaped_filter_regex assigned unsafely at line 68:\n $escaped_filter_regex = sm_get_escaped_filter_regex()

Affected Plugins

Plugins that have instances of this rule violation

Unescaped parameter $query used in $wpdb->query($query)\n$query assigned unsafely at line 346:\n $query = "DELETE FROM `{$wpdb->prefix}searchmeter_recent` WHERE `datetime` < '$dateZero'"\n$dateZero assigned unsafely at line 341:\n $dateZero = $wpdb->get_var($wpdb->prepare(\n\t\t\t\t\t"SELECT `datetime`\n\t\t\t\t\tFROM `{$wpdb->prefix}searchmeter_recent`\n\t\t\t\t\tORDER BY `datetime` DESC LIMIT %d, 1", $history_size))\n$history_size assigned unsafely at line 333:\n $history_size = apply_filters('search_meter_history_size', 500)