Unescaped parameter $and used in $wpdb->get_results("SELECT DISTINCT post_author FROM $wpdb->posts WHERE post_status != 'auto-draft' $and")\n$and assigned unsafely at line 373:\n $and = 'AND ID IN ( ' . implode(', ', $post_ids) . ')'
Unescaped parameter $attachments_table used in $wpdb->query("DELETE attachments FROM {$attachments_table} attachments LEFT JOIN {$wpdb->posts} posts ON posts.ID = attachments.post_id WHERE posts.ID IS NULL")\n$attachments_table assigned unsafely at line 30:\n $attachments_table = defined( 'GEODIR_ATTACHMENT_TABLE' ) ? GEODIR_ATTACHMENT_TABLE : $plugin_prefix . 'attachments'\n$plugin_prefix assigned unsafely at line 25:\n $plugin_prefix = $wpdb->prefix . 'geodir_'\n$event_detail_table assigned unsafely at line 28:\n $event_detail_table = $plugin_prefix . 'gd_event_detail'
Unescaped parameter $cond used in $wpdb->get_results("SELECT ipaddr,time,notifyto,posted_data FROM ".$wpdb->prefix.$this->table_messages." WHERE 1=1 ".$cond." ORDER BY `time` DESC")\n$cond assigned unsafely at line 58:\n $cond .= " AND (`time` <= '".esc_sql($date_end)." 23:59:59')"\n$cond assigned unsafely at line 53:\n $cond .= " AND (`time` >= '".esc_sql( $date_start )."')"\n$rawto assigned unsafely at line 45:\n $rawto = str_replace('/','.',$rawto)\n$rawto assigned unsafely at line 41:\n $rawto = (isset($_GET["dto"]) ? sanitize_text_field($_GET["dto"]) : '')\nNote: sanitize_text_field() is not a safe escaping function.\n$date_end assigned unsafely at line 57:\n $date_end = date("Y-m-d",strtotime($rawto))\n$_GET["dto"] used without escaping.
Affected Plugins
Plugins that have instances of this rule violation
Unescaped parameter $cp_appb_plugin->table_items used in $wpdb->get_results("SELECT id,form_name FROM ".$wpdb->prefix.$cp_appb_plugin->table_items." ORDER BY form_name")\n$cp_appb_plugin->table_items used without escaping.
Unescaped parameter $custom_fields_table used in $wpdb->query("DELETE FROM {$custom_fields_table} WHERE post_type = '{$post_type}' OR htmlvar_name = '{$post_type}'")\n$custom_fields_table assigned unsafely at line 31:\n $custom_fields_table = defined( 'GEODIR_CUSTOM_FIELDS_TABLE' ) ? GEODIR_CUSTOM_FIELDS_TABLE : $plugin_prefix . 'custom_fields'\n$post_type assigned unsafely at line 46:\n $post_type = 'gd_event'\n$plugin_prefix assigned unsafely at line 25:\n $plugin_prefix = $wpdb->prefix . 'geodir_'\n$search_fields_table assigned unsafely at line 49:\n $search_fields_table = ''\n$event_detail_table assigned unsafely at line 28:\n $event_detail_table = $plugin_prefix . 'gd_event_detail'\n$pricing_packages_table assigned unsafely at line 52:\n $pricing_packages_table = ''\n$link_posts_table assigned unsafely at line 55:\n $link_posts_table = ''\n$save_settings assigned unsafely at line 58:\n $save_settings = $geodir_settings