Unescaped parameter $booking_table used in $wpdb->get_results("SELECT $table_name.*, COUNT($booking_table.id) as total_booking, $host_table.first_name as host_first_name, $host_table.last_name as host_last_name FROM $table_name\n\t\t\t\tLEFT JOIN $booking_table ON $table_name.id = $booking_table.meeting_id\n\t\t\t\tLEFT JOIN $host_table ON $table_name.host_id = $host_table.id\n\t\t\t\tGROUP BY $table_name.id ORDER BY $table_name.id DESC\n\t\t\t\t")\n$booking_table assigned unsafely at line 176:\n $booking_table = $wpdb->prefix . 'tfhb_bookings'\n$host_table assigned unsafely at line 175:\n $host_table = $wpdb->prefix . 'tfhb_hosts'\n$id used without escaping.\n$data assigned unsafely at line 219:\n $data = $wpdb->get_results(\n\t\t\t\t"SELECT $table_name.*, COUNT($booking_table.id) as total_booking, $host_table.first_name as host_first_name, $host_table.last_name as host_last_name FROM $table_name\n\t\t\t\tLEFT JOIN $booking_table ON $table_name.id = $booking_table.meeting_id\n\t\t\t\tLEFT JOIN $host_table ON $table_name.host_id = $host_table.id\n\t\t\t\tGROUP BY $table_name.id ORDER BY $table_name.id DESC\n\t\t\t\t"\n\t\t\t)
Unescaped parameter $booking_table used in $wpdb->get_results($wpdb->prepare( "SELECT $table_name.*, COUNT($booking_table.id) as total_booking, $host_table.first_name as host_first_name, $host_table.last_name as host_last_name FROM $table_name\n\t\t\t\tLEFT JOIN $booking_table ON $table_name.id = $booking_table.meeting_id LEFT JOIN $host_table ON $table_name.host_id = $host_table.id WHERE $table_name.user_id = %s GROUP BY $table_name.id ORDER BY $table_name.id DESC", $user_id ))\n$booking_table assigned unsafely at line 176:\n $booking_table = $wpdb->prefix . 'tfhb_bookings'\n$host_table assigned unsafely at line 175:\n $host_table = $wpdb->prefix . 'tfhb_hosts'\n$id used without escaping.\n$data assigned unsafely at line 213:\n $data = $wpdb->get_results(\n\t\t\t\t$wpdb->prepare( "SELECT $table_name.*, COUNT($booking_table.id) as total_booking, $host_table.first_name as host_first_name, $host_table.last_name as host_last_name FROM $table_name\n\t\t\t\tLEFT JOIN $booking_table ON $table_name.id = $booking_table.meeting_id LEFT JOIN $host_table ON $table_name.host_id = $host_table.id WHERE $table_name.user_id = %s GROUP BY $table_name.id ORDER BY $table_name.id DESC", $user_id ) \n\t\t\t)\n$user_id used without escaping.
Affected Plugins
Plugins that have instances of this rule violation
Unescaped parameter $booking_table used in $wpdb->get_row($wpdb->prepare( "SELECT $table_name.*, COUNT($booking_table.id) as total_booking, $host_table.first_name as host_first_name, $host_table.last_name as host_last_name FROM $table_name\n\t\t\t\tLEFT JOIN $booking_table ON $table_name.id = $booking_table.meeting_id\n\t\t\t\tLEFT JOIN $host_table ON $table_name.host_id = $host_table.id \n\t\t\t\tWHERE $table_name.id = %s GROUP BY $table_name.id", $id ))\n$booking_table assigned unsafely at line 176:\n $booking_table = $wpdb->prefix . 'tfhb_bookings'\n$host_table assigned unsafely at line 175:\n $host_table = $wpdb->prefix . 'tfhb_hosts'\n$id used without escaping.\n$data assigned unsafely at line 178:\n $data = $wpdb->get_row(\n\t\t\t\t$wpdb->prepare( "SELECT $table_name.*, COUNT($booking_table.id) as total_booking, $host_table.first_name as host_first_name, $host_table.last_name as host_last_name FROM $table_name\n\t\t\t\tLEFT JOIN $booking_table ON $table_name.id = $booking_table.meeting_id\n\t\t\t\tLEFT JOIN $host_table ON $table_name.host_id = $host_table.id \n\t\t\t\tWHERE $table_name.id = %s GROUP BY $table_name.id", $id )\n\t\t\t)
Unescaped parameter $cal_table used in $wpdb->get_results("SHOW COLUMNS FROM $cal_table LIKE '$cal_new'")\n$cal_table assigned unsafely at line 236:\n $cal_table = $prefix . 'wbk_gg_calendars'\n$cal_new assigned unsafely at line 238:\n $cal_new = 'ggid'\n$prefix assigned unsafely at line 233:\n $prefix = get_option('wbk_db_prefix', '')\n$new_exists assigned unsafely at line 241:\n $new_exists = $wpdb->get_results(\n "SHOW COLUMNS FROM $cal_table LIKE '$cal_new'"\n )
Unescaped parameter $cal_table used in $wpdb->get_results("SHOW COLUMNS FROM $cal_table LIKE '$cal_old'")\n$cal_table assigned unsafely at line 236:\n $cal_table = $prefix . 'wbk_gg_calendars'\n$cal_old assigned unsafely at line 237:\n $cal_old = 'calendar_id'\n$prefix assigned unsafely at line 233:\n $prefix = get_option('wbk_db_prefix', '')\n$cal_new assigned unsafely at line 238:\n $cal_new = 'ggid'\n$new_exists assigned unsafely at line 241:\n $new_exists = $wpdb->get_results(\n "SHOW COLUMNS FROM $cal_table LIKE '$cal_new'"\n )