ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

Instances found

Total Impact

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $maps_table used in $wpdb->get_results("SELECT * FROM ".$maps_table." ORDER BY name")\n$maps_table assigned unsafely at line 178:\n $maps_table = $wpdb->prefix . "wp_openstreetmap"\n$maps_markers_table assigned unsafely at line 180:\n $maps_markers_table = $wpdb->prefix . "wp_openstreetmap_markers"\n$_GET['task'] used without escaping.\n$_REQUEST['_wpnonce'] used without escaping.\n$_POST used without escaping.\n$query assigned unsafely at line 220:\n $query = $wpdb->prepare( $query, $_POST['id'], stripslashes_deep(sanitize_text_field($_POST['name'])), sanitize_text_field($_POST['width']), sanitize_text_field($_POST['height']), intval($_POST['zoom']), floatval($_POST['latitude']), floatval($_POST['longitude']) )\nNote: sanitize_text_field() is not a safe escaping function.\n$query assigned unsafely at line 214:\n $query = "REPLACE INTO ".$maps_table." (`id`, `name`, `width`, `height`, `zoom`, `latitude`, `longitude`)\r\n\r\n\t\t\t\t\t\t\tVALUES (%d, %s, %s, %s, %d, %f, %f)"

Affected Plugins

Plugins that have instances of this rule violation

Unescaped parameter $query used in $wpdb->get_results($query)\n$query assigned unsafely at line 348:\n $query = $wpdb->prepare( $q, intval($_GET['id']))\n$q assigned unsafely at line 346:\n $q = "SELECT * FROM ".$maps_markers_table." WHERE id_map = %d"\n$maps_markers_table assigned unsafely at line 180:\n $maps_markers_table = $wpdb->prefix . "wp_openstreetmap_markers"\n$_GET['task'] used without escaping.\n$_REQUEST['_wpnonce'] used without escaping.\n$_POST used without escaping.\n$maps_table assigned unsafely at line 178:\n $maps_table = $wpdb->prefix . "wp_openstreetmap"

Unescaped parameter $query used in $wpdb->get_row($query)\n$query assigned unsafely at line 260:\n $query = $wpdb->prepare( $q, $_GET['id'])\n$q assigned unsafely at line 258:\n $q = "SELECT * FROM ".$maps_table." WHERE id = %d"\n$maps_table assigned unsafely at line 178:\n $maps_table = $wpdb->prefix . "wp_openstreetmap"\n$maps_markers_table assigned unsafely at line 180:\n $maps_markers_table = $wpdb->prefix . "wp_openstreetmap_markers"\n$_GET['task'] used without escaping.\n$_REQUEST['_wpnonce'] used without escaping.\n$_POST used without escaping.