ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

Instances found

Total Impact

10K

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $dbtable used in $wpdb->get_row($wpdb->prepare("SELECT * FROM $dbtable WHERE id = %d", [$widget_id]))\n$dbtable assigned unsafely at line 4024:\n $dbtable = $this->get_widget_tablename()

Unescaped parameter $dbtable used in $wpdb->get_row($wpdb->prepare("SELECT * FROM $dbtable WHERE id = %d", [$widget_id]))\n$dbtable assigned unsafely at line 4052:\n $dbtable = $this->get_widget_tablename()

Unescaped parameter $sql used in $wpdb->get_results($sql)\n$sql assigned unsafely at line 4017:\n $sql = "SELECT `auto_increment` FROM INFORMATION_SCHEMA.TABLES WHERE table_name = '{$dbtable}'"\n$dbtable assigned unsafely at line 4015:\n $dbtable = $this->get_widget_tablename()

Unescaped parameter $sql used in $wpdb->get_results($sql)\n$sql assigned unsafely at line 4038:\n $sql .= " ORDER BY $order_by $order"\n$order used without escaping.

Unescaped parameter $sql used in $wpdb->query($sql)\n$sql assigned unsafely at line 3938:\n $sql = "DROP TABLE IF EXISTS $dbtable"\n$dbtable assigned unsafely at line 3937:\n $dbtable = TrustindexTestimonialsPlugin::get_widget_tablename()

Affected Plugins

Plugins that have instances of this rule violation

WP Testimonials

testimonial-widgets

issues

10K

installs