Unescaped parameter $sql used in $wpdb->get_results($sql)\n$sql assigned unsafely at line 127:\n $sql = "\r\n\t\t\tSELECT $db_petitions.id, $db_petitions.title, $db_petitions.goal,\r\n\t\t\t\tCOUNT( $db_signatures.id ) AS 'signatures'\r\n\t\t\tFROM $db_petitions\r\n\t\t\tLEFT JOIN $db_signatures\r\n\t\t\t\tON $db_petitions.id = $db_signatures.petitions_id\r\n\t\t\t\tAND ( $db_signatures.is_confirmed = '' OR $db_signatures.is_confirmed = '1' )\r\n\t\t\tGROUP BY $db_petitions.id\r\n\t\t\tORDER BY `id` $listOrder\r\n\t\t\tLIMIT $start, $limit\r\n\t\t"\n$listOrder used without escaping.\n$start used without escaping.\n$limit used without escaping.
Unescaped parameter $sql used in $wpdb->get_results($sql)\n$sql assigned unsafely at line 149:\n $sql = "\n\t\t\tSELECT $db_signatures.*, $db_petitions.title, $db_petitions.custom_field_label, $db_petitions.displays_custom_field\n\t\t\tFROM `$db_signatures`, `$db_petitions`\n\t\t\tWHERE $db_signatures.petitions_id = $db_petitions.id\n\t\t\tAND ($db_signatures.email LIKE '%" . $searchString . "%' \n OR $db_signatures.honorific LIKE '%" . $searchString . "%' \n OR $db_signatures.first_name LIKE '%" . $searchString . "%' \n OR $db_signatures.street_address LIKE '%" . $searchString . "%' \n OR $db_signatures.city LIKE '%" . $searchString . "%' \n OR $db_signatures.state LIKE '%" . $searchString . "%' \n OR $db_signatures.country LIKE '%" . $searchString . "%' \n OR $db_signatures.custom_field LIKE '%" . $searchString . "%' \n OR $db_signatures.custom_field2 LIKE '%" . $searchString . "%' \n OR $db_signatures.custom_field3 LIKE '%" . $searchString . "%'\n OR $db_signatures.custom_field4 LIKE '%" . $searchString . "%' \n OR $db_signatures.custom_field5 LIKE '%" . $searchString . "%' \n OR $db_signatures.postcode LIKE '%" . $searchString . "%')\n\t\t\t$sql_petition_filter\n\t\t\t$sql_context_filter\n\t\t\tORDER BY $db_signatures.id DESC $sql_limit\n\t\t"\n$searchString used without escaping.\n$sql_petition_filter assigned unsafely at line 123:\n $sql_petition_filter = "AND $db_signatures.petitions_id = '$petition_id'"\n$sql_context_filter assigned unsafely at line 146:\n $sql_context_filter = "AND ( $db_signatures.is_confirmed = '' OR $db_signatures.is_confirmed = 1 )"\n$sql_limit assigned unsafely at line 129:\n $sql_limit = 'LIMIT ' . $start . ', ' . $limit\n$petition_id used without escaping.\n$start used without escaping.
Affected Plugins
Plugins that have instances of this rule violation
Unescaped parameter $sql used in $wpdb->get_results($sql)\n$sql assigned unsafely at line 152:\n $sql = "\r\n\t\t\tSELECT `id`\r\n\t\t\tFROM `$db_petitions`\r\n\t\t"
Unescaped parameter $sql used in $wpdb->get_results($sql)\n$sql assigned unsafely at line 178:\n $sql = "\r\n\t\t\tSELECT $db_signatures.*, $db_petitions.title, $db_petitions.custom_field_label, $db_petitions.displays_custom_field\r\n\t\t\tFROM `$db_signatures`, `$db_petitions`\r\n\t\t\tWHERE $db_signatures.petitions_id = $db_petitions.id\r\n\t\t\tAND ($db_signatures.email LIKE '%" . $searchString . "%' OR $db_signatures.honorific LIKE '%" . $searchString . "%' OR $db_signatures.first_name LIKE '%" . $searchString . "%' OR $db_signatures.street_address LIKE '%" . $searchString . "%' OR $db_signatures.city LIKE '%" . $searchString . "%' OR $db_signatures.state LIKE '%" . $searchString . "%' OR $db_signatures.country LIKE '%" . $searchString . "%' OR $db_signatures.custom_field LIKE '%" . $searchString . "%' OR $db_signatures.postcode LIKE '%" . $searchString . "%')\r\n\t\t\t$sql_petition_filter\r\n\t\t\t$sql_context_filter\r\n\t\t\tORDER BY $db_signatures.id DESC $limit\r\n\t\t"\n$searchString used without escaping.\n$sql_petition_filter used without escaping.\n$sql_context_filter used without escaping.\n$limit used without escaping.
Unescaped parameter $sql used in $wpdb->get_results($sql)\n$sql assigned unsafely at line 249:\n $sql = "\n\t\t\tSELECT `id`\n\t\t\tFROM `$db_signatures`\n\t\t\t$sql_where\n\t\t\t$sql_context_filter\n\t\t"\n$sql_where assigned unsafely at line 239:\n $sql_where = " WHERE `petitions_id` = '$petition_id' "\n$sql_context_filter assigned unsafely at line 246:\n $sql_context_filter .= " ( $db_signatures.is_confirmed = 1 )"\n$petition_id used without escaping.