Unescaped parameter $sql used in $wpdb->get_row($sql)\n$sql assigned unsafely at line 258:\n $sql = "SELECT * FROM `".$wpdb->prefix ."paytm_order_data` WHERE `order_id` = '".$order_id."' ORDER BY `id` DESC LIMIT 1"\n$order_id used without escaping.
Unescaped parameter $sql used in $wpdb->query($sql)\n$sql assigned unsafely at line 385:\n $sql = "UPDATE `" . $wpdb->prefix . "paytm_order_data` SET `order_id` = '" . $order_id . "', `paytm_order_id` = '" . $paytm_order_id . "', `transaction_id` = '" . $transaction_id . "', `status` = '" . (int)$status . "', `paytm_response` = '" . json_encode($data) . "', `date_modified` = NOW() WHERE `id` = '" . (int)$id . "' AND `paytm_order_id` = '" . $paytm_order_id . "'"\n$order_id used without escaping.\n$paytm_order_id assigned unsafely at line 381:\n $paytm_order_id = (!empty($data['ORDERID'])? $data['ORDERID']:'')\n$transaction_id assigned unsafely at line 382:\n $transaction_id = (!empty($data['TXNID'])? $data['TXNID']:'')\n$data used without escaping.\n$id used without escaping.\n$data['ORDERID'] used without escaping.\n$data['TXNID'] used without escaping.
Unescaped parameter $sql used in $wpdb->query($sql)\n$sql assigned unsafely at line 389:\n $sql = "INSERT INTO `" . $wpdb->prefix . "paytm_order_data` SET `order_id` = '" . $order_id . "', `paytm_order_id` = '" . $paytm_order_id . "', `transaction_id` = '" . $transaction_id . "', `status` = '" . (int)$status . "', `paytm_response` = '" . json_encode($data) . "', `date_added` = NOW(), `date_modified` = NOW()"\n$order_id used without escaping.\n$paytm_order_id assigned unsafely at line 381:\n $paytm_order_id = (!empty($data['ORDERID'])? $data['ORDERID']:'')\n$transaction_id assigned unsafely at line 382:\n $transaction_id = (!empty($data['TXNID'])? $data['TXNID']:'')\n$data used without escaping.\n$data['ORDERID'] used without escaping.\n$data['TXNID'] used without escaping.
Affected Plugins
Plugins that have instances of this rule violation
Unescaped parameter $sql used in $wpdb->query($sql)\n$sql assigned unsafely at line 88:\n $sql = "CREATE TABLE IF NOT EXISTS $table_name (\n\t\t\t`id` int(11) NOT NULL AUTO_INCREMENT,\n\t\t\t`order_id` int(11) NOT NULL,\n\t\t\t`paytm_order_id` VARCHAR(255) NOT NULL,\n\t\t\t`transaction_id` VARCHAR(255) NOT NULL,\n\t\t\t`status` ENUM('0', '1') DEFAULT '0' NOT NULL,\n\t\t\t`paytm_response` TEXT,\n\t\t\t`date_added` DATETIME NOT NULL,\n\t\t\t`date_modified` DATETIME NOT NULL,\n\t\t\tPRIMARY KEY (`id`)\n\t\t);"\n$table_name assigned unsafely at line 87:\n $table_name = $wpdb->prefix . 'paytm_order_data'
Unescaped parameter $table_name used in $wpdb->get_row($wpdb->prepare(\n "SELECT * FROM $table_name WHERE id = %d",\n $order_id\n ))\n$table_name assigned unsafely at line 264:\n $table_name = $wpdb->prefix . 'wc_orders'\n$order assigned unsafely at line 266:\n $order = $wpdb->get_row(\n $wpdb->prepare(\n "SELECT * FROM $table_name WHERE id = %d",\n $order_id\n ),\n ARRAY_A\n )\n$order_id used without escaping.