ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

Instances found

Total Impact

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $email_sortby used in $wpdb->get_results("SELECT * FROM $wpdb->email ORDER BY $email_sortby $email_sortorder LIMIT $offset, $email_log_perpage")\n$email_sortby assigned unsafely at line 80:\n $email_sortby = 'email_timestamp'\n$email_sortorder assigned unsafely at line 93:\n $email_sortorder = 'DESC'\n$email_sortby_text assigned unsafely at line 81:\n $email_sortby_text = __('Date', 'wp-email')\n$email_sortorder_text assigned unsafely at line 94:\n $email_sortorder_text = __('Descending', 'wp-email')

Unescaped parameter $email_table used in $wpdb->query("DROP TABLE IF EXISTS $email_table")\n$email_table assigned unsafely at line 63:\n $email_table = $wpdb->prefix . 'email'

Unescaped parameter $query used in $wpdb->get_results($query)\n$query assigned unsafely at line 333:\n $query = $wpdb->prepare( $sql, $params )\n$sql assigned unsafely at line 331:\n $sql = apply_filters( 'irecommendthis_top_posts_sql', $sql, $params, $atts )\n$sql assigned unsafely at line 317:\n $sql .= ' AND p.post_type = %s'\n$params assigned unsafely at line 318:\n $params[] = $post_type\n$atts used without escaping.\n$post_type assigned unsafely at line 284:\n $post_type = sanitize_text_field( $atts['post_type'] )\nNote: sanitize_text_field() is not a safe escaping function.\n$atts['post_type'] used without escaping.

Affected Plugins

Plugins that have instances of this rule violation

I Recommend This – Love/Like Button for WordPress Posts

Unescaped parameter $sql used in $wpdb->get_results($sql)\n$sql assigned unsafely at line 248:\n $sql = apply_filters(\n\t\t\t'irecommendthis_widget_query',\n\t\t\t$wpdb->prepare(\n\t\t\t\t"SELECT p.ID, p.post_title, pm.meta_value AS meta_value\n\t\t\t\tFROM {$wpdb->posts} p\n\t\t\t\tINNER JOIN {$wpdb->postmeta} pm ON p.ID = pm.post_id\n\t\t\t\tWHERE p.post_status = 'publish'\n\t\t\t\tAND p.post_type = 'post'\n\t\t\t\tAND pm.meta_key = '_recommended'\n\t\t\t\tORDER BY CAST(pm.meta_value AS UNSIGNED) DESC\n\t\t\t\tLIMIT %d",\n\t\t\t\t$number_of_posts\n\t\t\t),\n\t\t\t$number_of_posts\n\t\t)

Unescaped parameter $where used in $wpdb->get_results("SELECT $wpdb->posts.*, COUNT($wpdb->email.email_postid) AS email_total FROM $wpdb->email LEFT JOIN $wpdb->posts ON $wpdb->email.email_postid = $wpdb->posts.ID WHERE post_date < '".current_time('mysql')."' AND $where AND post_password = '' AND post_status = 'publish' GROUP BY $wpdb->email.email_postid ORDER BY email_total DESC LIMIT $limit")\n$where assigned unsafely at line 696:\n $where = '1=1'\n$where assigned unsafely at line 694:\n $where = "post_type = '$mode'"\n$limit used without escaping.\n$mostemailed assigned unsafely at line 698:\n $mostemailed= $wpdb->get_results("SELECT $wpdb->posts.*, COUNT($wpdb->email.email_postid) AS email_total FROM $wpdb->email LEFT JOIN $wpdb->posts ON $wpdb->email.email_postid = $wpdb->posts.ID WHERE post_date < '".current_time('mysql')."' AND $where AND post_password = '' AND post_status = 'publish' GROUP BY $wpdb->email.email_postid ORDER BY email_total DESC LIMIT $limit")\n$mode used without escaping.