ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

Instances found

Total Impact

10K

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $atum_orders_str used in $wpdb->get_col($wpdb->prepare( $atum_orders_str, InventoryLogs::POST_TYPE ))\n$atum_orders_str assigned unsafely at line 310:\n $atum_orders_str = str_replace( 'order_itemmeta_table', $order_itemmeta_table, str_replace( 'order_item_table', $order_items_table, $str_sql ) )\n$str_sql assigned unsafely at line 294:\n $str_sql = "\n\t\t\t\tSELECT DISTINCT IF( 0 = IFNULL( oimv.meta_value, 0), oimp.meta_value, oimv.meta_value) product_id\n\t FROM `{$wpdb->posts}` o\n\t\t\t\t\t\tINNER JOIN order_item_table oi ON o.ID = oi.order_id\n\t\t\t\t\t\tLEFT JOIN order_itemmeta_table oimp ON oi.order_item_id = oimp.order_item_id AND oimp.meta_key = '_product_id'\n\t\t\t\t\t\tLEFT JOIN order_itemmeta_table oimv ON oi.order_item_id = oimv.order_item_id AND oimv.meta_key = '_variation_id'\n\t\t\t\t\t\tINNER JOIN $atum_product_data_table apd ON \tIF( 0 = IFNULL( oimv.meta_value, 0), oimp.meta_value, oimv.meta_value) = apd.product_id\t\t\t\n\t\t\t\t\tWHERE o.post_type = '%s' AND IF( 0 = IFNULL( oimv.meta_value, 0), oimp.meta_value, oimv.meta_value) IS NOT NULL\n\t\t\t\t\t\t$date_clause AND ( apd.sales_update_date < '$last_executed' OR apd.sales_update_date IS NULL );\n\t\t\t"\n$date_clause assigned unsafely at line 292:\n $date_clause = $last_executed ? $wpdb->prepare( 'AND o.post_modified_gmt >= %s', $last_executed ) : ''\n$date_clause assigned unsafely at line 276:\n $date_clause = $last_executed ? $wpdb->prepare( 'AND o.date_updated_gmt >= %s', $last_executed ) : ''\n$last_executed assigned unsafely at line 269:\n $last_executed = $wpdb->get_var( "SELECT MAX(sales_update_date) FROM $atum_product_data_table;" )

Affected Plugins

Plugins that have instances of this rule violation

ATUM WooCommerce Inventory Management and Stock Tracking

atum-stock-manager-for-woocommerce

issues

10K

installs

Unescaped parameter $atum_orders_str used in $wpdb->get_col($wpdb->prepare( $atum_orders_str, PurchaseOrders::POST_TYPE ))\n$atum_orders_str assigned unsafely at line 310:\n $atum_orders_str = str_replace( 'order_itemmeta_table', $order_itemmeta_table, str_replace( 'order_item_table', $order_items_table, $str_sql ) )\n$str_sql assigned unsafely at line 294:\n $str_sql = "\n\t\t\t\tSELECT DISTINCT IF( 0 = IFNULL( oimv.meta_value, 0), oimp.meta_value, oimv.meta_value) product_id\n\t FROM `{$wpdb->posts}` o\n\t\t\t\t\t\tINNER JOIN order_item_table oi ON o.ID = oi.order_id\n\t\t\t\t\t\tLEFT JOIN order_itemmeta_table oimp ON oi.order_item_id = oimp.order_item_id AND oimp.meta_key = '_product_id'\n\t\t\t\t\t\tLEFT JOIN order_itemmeta_table oimv ON oi.order_item_id = oimv.order_item_id AND oimv.meta_key = '_variation_id'\n\t\t\t\t\t\tINNER JOIN $atum_product_data_table apd ON \tIF( 0 = IFNULL( oimv.meta_value, 0), oimp.meta_value, oimv.meta_value) = apd.product_id\t\t\t\n\t\t\t\t\tWHERE o.post_type = '%s' AND IF( 0 = IFNULL( oimv.meta_value, 0), oimp.meta_value, oimv.meta_value) IS NOT NULL\n\t\t\t\t\t\t$date_clause AND ( apd.sales_update_date < '$last_executed' OR apd.sales_update_date IS NULL );\n\t\t\t"\n$date_clause assigned unsafely at line 292:\n $date_clause = $last_executed ? $wpdb->prepare( 'AND o.post_modified_gmt >= %s', $last_executed ) : ''\n$date_clause assigned unsafely at line 276:\n $date_clause = $last_executed ? $wpdb->prepare( 'AND o.date_updated_gmt >= %s', $last_executed ) : ''\n$last_executed assigned unsafely at line 269:\n $last_executed = $wpdb->get_var( "SELECT MAX(sales_update_date) FROM $atum_product_data_table;" )

Unescaped parameter $children_sql used in $wpdb->get_results($children_sql)\n$children_sql assigned unsafely at line 671:\n $children_sql = $wpdb->prepare("\n\t\t\tSELECT p.ID, p.post_parent FROM $wpdb->posts p\n\t\t\tWHERE p.post_parent IN (\n\t\t\t\t$parents_sql\n\t\t\t) AND p.post_type = %s AND p.post_status IN ('" . implode( "','", $products_visibility ) . "')\n\t\t", $post_type )\n$parents_sql assigned unsafely at line 661:\n $parents_sql = "\n\t\t\tSELECT DISTINCT p.ID FROM $wpdb->posts p\n\t\t\tLEFT JOIN $wpdb->term_relationships tr ON (p.ID = tr.object_id) \n\t\t\tWHERE tr.term_taxonomy_id IN (" . implode( ',', $parent_product_type_ids ) . ") AND p.post_type = 'product' \n\t\t\tAND p.post_status IN ('" . implode( "','", $products_visibility ) . "') \n\t\t\tGROUP BY p.ID\t\t \n\t\t"\n$products_visibility assigned unsafely at line 651:\n $products_visibility = Globals::get_queryable_product_statuses()\n$parent_product_type_ids assigned unsafely at line 659:\n $parent_product_type_ids = apply_filters( 'atum/dashboard/get_children/parent_product_types', [ $parent_product_type->term_taxonomy_id ], $parent_type )\n$parent_product_type->term_taxonomy_id used without escaping.\n$parent_type used without escaping.