ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

158

Instances found

Total Impact

468K

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $column_name used in $wpdb->get_var($wpdb->prepare(\n\t\t\t\t"SELECT {$column_name} FROM {$wpdb->posts} WHERE ID=%d AND post_type=%s", \t\t\t\t$action_id,\n\t\t\t\tself::POST_TYPE\n\t\t\t))

Unescaped parameter $count_query used in $wpdb->get_var($count_query)\n$count_query assigned unsafely at line 143:\n $count_query = "$count_query WHERE posts.ID NOT IN ($not_in)"\n$count_query assigned unsafely at line 140:\n $count_query = "SELECT COUNT(posts.ID) FROM ($posts_query) AS posts"\n$posts_query assigned unsafely at line 119:\n $posts_query = $this->prepare_posts_query( array( 'ID' ) )

Unescaped parameter $field used in $wpdb->get_var("SELECT DATE_ADD(`post_{$field}_gmt`, INTERVAL '$sec' SECOND) FROM `$wpdb->posts` WHERE $where ORDER BY `post_{$field}_gmt` $order LIMIT 1")\n$field used without escaping.\n$where assigned unsafely at line 107:\n $where .= " AND $week=$w"\n$order assigned unsafely at line 111:\n $order = ( 'last' === $which ) ? 'DESC' : 'ASC'\n$week assigned unsafely at line 106:\n $week = _wp_mysql_week( 'post_date' )\n$w used without escaping.\n$timezone assigned unsafely at line 53:\n $timezone = strtolower( $timezone )\n$date assigned unsafely at line 131:\n $date = $wpdb->get_var( "SELECT DATE_ADD(`post_{$field}_gmt`, INTERVAL '$sec' SECOND) FROM `$wpdb->posts` WHERE $where ORDER BY `post_{$field}_gmt` $order LIMIT 1" )

Affected Plugins

Plugins that have instances of this rule violation

XML Sitemap & Google News

Unescaped parameter $field used in $wpdb->get_var("SELECT `post_{$field}_gmt` FROM `$wpdb->posts` WHERE $where ORDER BY `post_{$field}_gmt` $order LIMIT 1")\n$field used without escaping.\n$where assigned unsafely at line 107:\n $where .= " AND $week=$w"\n$order assigned unsafely at line 111:\n $order = ( 'last' === $which ) ? 'DESC' : 'ASC'\n$week assigned unsafely at line 106:\n $week = _wp_mysql_week( 'post_date' )\n$w used without escaping.\n$timezone assigned unsafely at line 53:\n $timezone = strtolower( $timezone )\n$date assigned unsafely at line 122:\n $date = $wpdb->get_var( "SELECT `post_{$field}_gmt` FROM `$wpdb->posts` WHERE $where ORDER BY `post_{$field}_gmt` $order LIMIT 1" )

Unescaped parameter $field used in $wpdb->get_var("SELECT `post_{$field}` FROM `$wpdb->posts` WHERE $where ORDER BY `post_{$field}` $order LIMIT 1")\n$field used without escaping.\n$where assigned unsafely at line 107:\n $where .= " AND $week=$w"\n$order assigned unsafely at line 111:\n $order = ( 'last' === $which ) ? 'DESC' : 'ASC'\n$week assigned unsafely at line 106:\n $week = _wp_mysql_week( 'post_date' )\n$w used without escaping.\n$timezone assigned unsafely at line 53:\n $timezone = strtolower( $timezone )\n$date assigned unsafely at line 126:\n $date = $wpdb->get_var( "SELECT `post_{$field}` FROM `$wpdb->posts` WHERE $where ORDER BY `post_{$field}` $order LIMIT 1" )