ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

Instances found

Total Impact

40K

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $sql used in $wpdb->get_results($sql)\n$sql assigned unsafely at line 71:\n $sql .= ' ORDER BY orig_string ASC'\n$sql assigned unsafely at line 68:\n $sql .= ' ORDER BY ' . $order_by . ' ' . $order_direction\n$this->items assigned unsafely at line 76:\n $this->items = $wpdb->get_results( $sql, ARRAY_A )\n$order_by assigned unsafely at line 53:\n $order_by = isset( $_GET['orderby'] ) ?\n\t\t\tsanitize_key( wp_unslash( $_GET['orderby'] ) ) :\n\t\t\tnull\nNote: sanitize_key() is not a safe escaping function.\n$_GET['orderby'] used without escaping.

Affected Plugins

Plugins that have instances of this rule violation