ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

Instances found

Total Impact

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $query used in $wpdb->get_results($query)\n$query assigned unsafely at line 333:\n $query = $wpdb->prepare( $sql, $params )\n$sql assigned unsafely at line 331:\n $sql = apply_filters( 'irecommendthis_top_posts_sql', $sql, $params, $atts )\n$sql assigned unsafely at line 317:\n $sql .= ' AND p.post_type = %s'\n$params assigned unsafely at line 318:\n $params[] = $post_type\n$atts used without escaping.\n$post_type assigned unsafely at line 284:\n $post_type = sanitize_text_field( $atts['post_type'] )\nNote: sanitize_text_field() is not a safe escaping function.\n$atts['post_type'] used without escaping.

Unescaped parameter $query used in $wpdb->get_results($query)\n$query assigned unsafely at line 605:\n $query = self::build_db_logs_query(\n\t\t\t\t$filters,\n\t\t\t\t$limit,\n\t\t\t\t$offset,\n\t\t\t\t$order\n\t\t\t)\n$filters used without escaping.\n$limit used without escaping.\n$offset used without escaping.\n$order used without escaping.

Unescaped parameter $query used in $wpdb->query($query)\n$query assigned unsafely at line 663:\n $query = "SELECT {$columns} UNION ALL " . $query\n$columns assigned unsafely at line 660:\n $columns .= "'" . self::$_log_columns[ $i ] . "'"\n$_log_columns[$i] used without escaping.

Affected Plugins

Plugins that have instances of this rule violation

I Recommend This – Love/Like Button for WordPress Posts

i-recommend-this

issues

installs

Rating-Widget: Star Review System

rating-widget

issues

installs

Unescaped parameter $sql used in $wpdb->get_results($sql)\n$sql assigned unsafely at line 248:\n $sql = apply_filters(\n\t\t\t'irecommendthis_widget_query',\n\t\t\t$wpdb->prepare(\n\t\t\t\t"SELECT p.ID, p.post_title, pm.meta_value AS meta_value\n\t\t\t\tFROM {$wpdb->posts} p\n\t\t\t\tINNER JOIN {$wpdb->postmeta} pm ON p.ID = pm.post_id\n\t\t\t\tWHERE p.post_status = 'publish'\n\t\t\t\tAND p.post_type = 'post'\n\t\t\t\tAND pm.meta_key = '_recommended'\n\t\t\t\tORDER BY CAST(pm.meta_value AS UNSIGNED) DESC\n\t\t\t\tLIMIT %d",\n\t\t\t\t$number_of_posts\n\t\t\t),\n\t\t\t$number_of_posts\n\t\t)