ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

Instances found

Total Impact

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $column used in $wpdb->get_var($wpdb->prepare("\n\t\t\tSELECT COUNT(*)\n\t\t\tFROM {$table}\n\t\t\tWHERE {$column} LIKE %s\n\t\t", $key))\n$column assigned unsafely at line 401:\n $column = 'meta_key'\n$key assigned unsafely at line 403:\n $key = $wpdb->esc_like($this->identifier . '_batch_') . '%'

Unescaped parameter $column_name used in $wpdb->get_var($wpdb->prepare(\n\t\t\t\t"SELECT {$column_name} FROM {$wpdb->posts} WHERE ID=%d AND post_type=%s", \t\t\t\t$action_id,\n\t\t\t\tself::POST_TYPE\n\t\t\t))

Unescaped parameter $insert_sql used in $wpdb->query($insert_sql)\n$insert_sql assigned unsafely at line 106:\n $insert_sql = $this->build_insert_sql( $data, $unique )\n$data assigned unsafely at line 88:\n $data = array(\n\t\t\t\t'hook' => $action->get_hook(),\n\t\t\t\t'status' => ( $action->is_finished() ? self::STATUS_COMPLETE : self::STATUS_PENDING ),\n\t\t\t\t'scheduled_date_gmt' => $this->get_scheduled_date_string( $action, $date ),\n\t\t\t\t'scheduled_date_local' => $this->get_scheduled_date_string_local( $action, $date ),\n\t\t\t\t'schedule' => serialize( $action->get_schedule() ), // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.serialize_serialize\n\t\t\t\t'group_id' => current( $this->get_group_ids( $action->get_group() ) ),\n\t\t\t\t'priority' => $action->get_priority(),\n\t\t\t)\n$unique used without escaping.\n$action used without escaping.\n$date used without escaping.

Affected Plugins

Plugins that have instances of this rule violation

Image SEO – AI-Driven Image SEO Optimizer

imageseo

issues

installs

Unescaped parameter $query used in $wpdb->query($query)\n$query assigned unsafely at line 120:\n $query = "\n\t\t\t\tALTER TABLE {$table_name}\n\t\t\t\tMODIFY COLUMN scheduled_date_gmt datetime NULL default '{$default_date}',\n\t\t\t\tMODIFY COLUMN scheduled_date_local datetime NULL default '{$default_date}',\n\t\t\t\tMODIFY COLUMN last_attempt_gmt datetime NULL default '{$default_date}',\n\t\t\t\tMODIFY COLUMN last_attempt_local datetime NULL default '{$default_date}'\n\t\t"\n$table_name assigned unsafely at line 115:\n $table_name = $wpdb->prefix . 'actionscheduler_actions'\n$table_list assigned unsafely at line 116:\n $table_list = $wpdb->get_col( "SHOW TABLES LIKE '{$table_name}'" )

Unescaped parameter $query used in $wpdb->query($query)\n$query assigned unsafely at line 81:\n $query = "\n\t\t\t\tALTER TABLE {$table_name}\n\t\t\t\tMODIFY COLUMN log_date_gmt datetime NULL default '{$default_date}',\n\t\t\t\tMODIFY COLUMN log_date_local datetime NULL default '{$default_date}'\n\t\t\t"\n$table_name assigned unsafely at line 76:\n $table_name = $wpdb->prefix . 'actionscheduler_logs'\n$table_list assigned unsafely at line 77:\n $table_list = $wpdb->get_col( "SHOW TABLES LIKE '{$table_name}'" )