ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

Instances found

Total Impact

30K

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $post_ids used in $wpdb->query("DELETE FROM {$wpdb->ratings} WHERE rating_postid IN (" . $post_ids . ')')\n$post_ids assigned unsafely at line 71:\n $post_ids = 'all'\n$delete_logs assigned unsafely at line 130:\n $delete_logs = $wpdb->query( "DELETE FROM {$wpdb->ratings} WHERE rating_postid IN (" . $post_ids . ')' )

Unescaped parameter $post_ids used in $wpdb->query("DELETE FROM {$wpdb->ratings} WHERE rating_postid IN (" . $post_ids . ')')\n$post_ids assigned unsafely at line 71:\n $post_ids = 'all'\n$delete_logs assigned unsafely at line 86:\n $delete_logs = $wpdb->query( "DELETE FROM {$wpdb->ratings} WHERE rating_postid IN (" . $post_ids . ')' )

Unescaped parameter $postratings_where used in $wpdb->get_results($wpdb->prepare( "SELECT * FROM {$wpdb->ratings} WHERE 1=1 {$postratings_where} ORDER BY {$postratings_sortby} {$postratings_sortorder} LIMIT %d, %d", $offset, $postratings_log_perpage ))\n$wpdb->ratings assigned unsafely at line 25:\n $wpdb->ratings = $wpdb->prefix . 'ratings'\n$postratings_where assigned unsafely at line 215:\n $postratings_where = ''\n$postratings_sortby assigned unsafely at line 203:\n $postratings_sortby = 'rating_timestamp'\n$postratings_sortorder assigned unsafely at line 50:\n $postratings_sortorder = $_GET['order']\n$base_name assigned unsafely at line 28:\n $base_name = plugin_basename( 'wp-postratings/postratings-manager.php' )\n$postratings_sortby_text assigned unsafely at line 204:\n $postratings_sortby_text = __('Date', 'wp-postratings')\n$_GET['order'] used without escaping.

Affected Plugins

Plugins that have instances of this rule violation

Unescaped parameter $sql used in $wpdb->get_results($sql)\n$sql assigned unsafely at line 150:\n $sql = $wpdb->prepare(\n\t\t\t"SELECT COUNT($wpdb->ratings.rating_postid) AS ratings_users, SUM($wpdb->ratings.rating_rating) AS ratings_score, ROUND(((SUM($wpdb->ratings.rating_rating)/COUNT($wpdb->ratings.rating_postid))), 2) AS ratings_average, $wpdb->posts.ID FROM $wpdb->posts LEFT JOIN $wpdb->ratings ON $wpdb->ratings.rating_postid = $wpdb->posts.ID WHERE rating_timestamp >= $min_time AND $wpdb->posts.post_password = '' AND $wpdb->posts.post_date < NOW() AND $wpdb->posts.post_status = 'publish' AND $where GROUP BY $wpdb->ratings.rating_postid ORDER BY ratings_users DESC, $order_by DESC LIMIT %d",\n\t\t\t$limit\n\t\t)\n$where assigned unsafely at line 142:\n $where = '1=1'\n$order_by assigned unsafely at line 147:\n $order_by = 'ratings_average'\n$temp assigned unsafely at line 149:\n $temp = stripslashes(get_option('postratings_template_mostrated'))