ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

Instances found

Total Impact

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $chats_query used in $wpdb->get_results($wpdb->prepare($chats_query, $webinarId))\n$chats_query assigned unsafely at line 208:\n $chats_query = "SELECT \r\n {$tableChats}.id,\r\n {$tableChats}.webinar_id,\r\n attendee_id,\r\n content,\r\n timestamp,\r\n name,\r\n `admin`,\r\n `private`\r\n FROM {$tableChats}\r\n LEFT OUTER JOIN {$tableSubsc} w ON {$tableChats}.attendee_id=w.id\r\n WHERE {$tableChats}.webinar_id=%d\r\n ORDER BY id ASC\r\n "\n$tableChats assigned unsafely at line 204:\n $tableChats = WebinarSysteemTables::get_chats()\n$tableSubsc assigned unsafely at line 205:\n $tableSubsc = WebinarSysteemTables::get_subscribers()

Unescaped parameter $poll_table used in $wpdb->get_results("SELECT p.`id`, p.`name`, p.`config`, COUNT(DISTINCT(v.attendee_id)) responses FROM {$poll_table} p LEFT JOIN {$vote_table} v ON p.id = v.poll_id GROUP BY p.id")\n$poll_table assigned unsafely at line 17:\n $poll_table = WebinarSysteemTables::get_polls()\n$vote_table assigned unsafely at line 18:\n $vote_table = WebinarSysteemTables::get_poll_votes()

Affected Plugins

Plugins that have instances of this rule violation

WebinarPress – Webinar System for WordPress

wp-webinarsystem

issues

installs

Unescaped parameter $query used in $wpdb->get_results($query)\n$query assigned unsafely at line 599:\n $query = $wpdb->prepare( $sql,\r\n $type,\r\n $webinar->id,\r\n $offset,\r\n $webinar_now,\r\n $config->from * $config->multiplier,\r\n $offset,\r\n $webinar_now,\r\n $config->to * $config->multiplier)\n$sql assigned unsafely at line 583:\n $sql = "\r\n SELECT s.id, s.name, s.email, s.webinar_id, s.secretkey, s.exact_time, s.custom_fields\r\n FROM {$subscribers_table} s\r\n LEFT JOIN {$notifications_table} n\r\n ON s.id = n.attendee_id\r\n AND s.webinar_id = n.webinar_id\r\n AND n.notification_type = %d\r\n WHERE s.webinar_id=%d\r\n AND DATE_ADD(exact_time, INTERVAL %d SECOND) > DATE_ADD(%s, INTERVAL %d SECOND)\r\n AND DATE_ADD(exact_time, INTERVAL %d SECOND) < DATE_ADD(%s, INTERVAL %d SECOND)\r\n AND s.{$config->sent_field} != 1\r\n AND n.id IS null\r\n AND s.anonymous_email != 1\r\n "\n$subscribers_table assigned unsafely at line 570:\n $subscribers_table = WebinarSysteemTables::get_subscribers()\n$notifications_table assigned unsafely at line 571:\n $notifications_table = WebinarSysteemTables::get_notifications()\n$config->sent_field used without escaping.

Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare($query, $now, $webinar_id, $now))\n$query assigned unsafely at line 66:\n $query = "\r\n SELECT\r\n id,\r\n name,\r\n high_five,\r\n email,\r\n last_seen,\r\n TIMESTAMPDIFF(MINUTE, last_seen, %s) idle_minutes\r\n FROM $table\r\n WHERE webinar_id=%d and\r\n last_seen > date_add(%s, interval -10 minute);\r\n "

Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare($query, $webinar_id))\n$query assigned unsafely at line 249:\n $query = "\r\n select\r\n {$chats_table}.id,\r\n {$chats_table}.webinar_id,\r\n attendee_id,\r\n content,\r\n timestamp,\r\n name,\r\n `admin` is_team_member,\r\n private is_private\r\n from {$chats_table}\r\n left outer join {$attendees_table} attendees\r\n on {$chats_table}.attendee_id = attendees.id\r\n where {$chats_table}.webinar_id = %d\r\n order by id asc\r\n "\n$chats_table assigned unsafely at line 246:\n $chats_table = WebinarSysteemTables::get_chats()\n$attendees_table assigned unsafely at line 247:\n $attendees_table = WebinarSysteemTables::get_subscribers()