Unescaped parameter $createIfNotUpdate used in $wpdb->query($createIfNotUpdate)\n$createIfNotUpdate assigned unsafely at line 292:\n $createIfNotUpdate .= ';'\n$createIfNotUpdate assigned unsafely at line 291:\n $createIfNotUpdate = rtrim($createIfNotUpdate, ', ')\n$createIfNotUpdate assigned unsafely at line 289:\n $createIfNotUpdate .= $key. "='" .$value. "',"\n$key assigned unsafely at line 288:\n $key => \n$key assigned unsafely at line 282:\n $key => \n$value used without escaping.
Unescaped parameter $latest_year_query used in $wpdb->get_var($latest_year_query)\n$latest_year_query assigned unsafely at line 99:\n $latest_year_query = "SELECT MAX(YEAR(d_date)) FROM $tableName"\n$tableName assigned unsafely at line 97:\n $tableName = $wpdb->prefix . "timetable"
Unescaped parameter $prepared used in $wpdb->get_results($prepared)\n$prepared assigned unsafely at line 234:\n $prepared = $wpdb->prepare( $sql, array( (int)$monthNumber, (int)$year ) )\n$sql assigned unsafely at line 231:\n $sql = "SELECT * FROM $this->dbTable WHERE month(d_date) = %d AND YEAR(d_date) = %d ORDER BY d_date ASC"
Unescaped parameter $prepared used in $wpdb->get_results($prepared)\n$prepared assigned unsafely at line 241:\n $prepared = $wpdb->prepare( $sql, array( (int)$monthNumber ) )\n$sql assigned unsafely at line 238:\n $sql = "SELECT * FROM $this->dbTable WHERE month(d_date) = %d and year(d_date) = (select max(year(d_date)) from ". $this->dbTable .") ORDER BY d_date ASC"
Affected Plugins
Plugins that have instances of this rule violation
Unescaped parameter $query used in $wpdb->get_results($query)\n$query assigned unsafely at line 109:\n $query = $wpdb->prepare("SELECT * FROM $tableName WHERE YEAR(`d_date`) = %d", $latest_year)\n$tableName assigned unsafely at line 97:\n $tableName = $wpdb->prefix . "timetable"\n$latest_year_query assigned unsafely at line 99:\n $latest_year_query = "SELECT MAX(YEAR(d_date)) FROM $tableName"