ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

Instances found

Total Impact

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $column used in $wpdb->get_row($wpdb->prepare(\n\t\t\t\t\t"\n\t\t\tSELECT *\n\t\t\tFROM {$table}\n\t\t\tWHERE {$column} LIKE %s\n\t\t\tORDER BY {$key_column} ASC\n\t\t\tLIMIT 1\n\t\t", $key\n\t\t\t\t))\n$column assigned unsafely at line 281:\n $column = 'meta_key'\n$key_column assigned unsafely at line 282:\n $key_column = 'meta_id'\n$value_column assigned unsafely at line 283:\n $value_column = 'meta_value'\n$key assigned unsafely at line 286:\n $key = $wpdb->esc_like( $this->identifier . '_batch_' ) . '%'

Unescaped parameter $column used in $wpdb->get_var($wpdb->prepare(\n\t\t\t\t\t"\n\t\t\tSELECT COUNT(*)\n\t\t\tFROM {$table}\n\t\t\tWHERE {$column} LIKE %s\n\t\t", $key\n\t\t\t\t))\n$column assigned unsafely at line 204:\n $column = 'meta_key'\n$key assigned unsafely at line 207:\n $key = $wpdb->esc_like( $this->identifier . '_batch_' ) . '%'

Unescaped parameter $item used in $wpdb->get_results($this->wpdb->prepare( \t\t\t\tsprintf("\n\t\t\t\tSELECT option_name\n\t\t\t\tFROM %s\n\t\t\t\tWHERE autoload IN (%s)\n\t\t\t\tAND option_name NOT IN ( " . implode( ',', array_map( function( $item ) {\n\t\t\t\t\treturn "'" . esc_sql( $item ) . "'";\n\t\t\t\t}, $excludes )\n\t\t\t\t) . " )\n\t\t\t\tORDER BY LENGTH(option_value) DESC\n\t\t\t\tLIMIT 1",\n\t\t\t\t$this->wpdb->options,\n\t\t\t\timplode( ',', array_fill( 0, count( $autoload_values ), '%s' ) ) ),\n\t\t\t\t$autoload_values\n\t\t\t))\n$item used without escaping.

Affected Plugins

Plugins that have instances of this rule violation

Speed Optimizer – The All-In-One Performance-Boosting Plugin

siteground-migrator

issues

60K

installs