ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

484

Instances found

Total Impact

506K

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $AND_NOT_IN used in $wpdb->get_col("SELECT aid FROM $wpdb->democracy_a WHERE qid = $poll_id $AND_NOT_IN")\n$AND_NOT_IN assigned unsafely at line 450:\n $AND_NOT_IN = $ids ? sprintf( "AND aid NOT IN (" . implode( ',', $ids ) . ")" ) : ''\n$ids assigned unsafely at line 444:\n $ids[] = $aid\n$aid assigned unsafely at line 422:\n $aid => \n$answ_row assigned unsafely at line 423:\n $answ_row = $wpdb->get_row( "SELECT * FROM $wpdb->democracy_a WHERE aid = " . (int) $aid )

Unescaped parameter $AND_clause used in $wpdb->query($wpdb->prepare(\n\t\t\t"UPDATE $wpdb->democracy_a SET votes = (votes+1) WHERE qid = %d $AND_clause", $poll->id\n\t\t))\n$AND_clause assigned unsafely at line 116:\n $AND_clause = ' AND aid IN (' . $aids . ')'\n$aids assigned unsafely at line 115:\n $aids = implode( ',', $aids )\n$aids assigned unsafely at line 112:\n $aids = array_slice( $aids, 0, $poll->multiple )\n$aids assigned unsafely at line 104:\n $aids = reset( $aids )\n$aids assigned unsafely at line 96:\n $aids = array_filter( $aids )\n$aids assigned unsafely at line 91:\n $aids[] = $aid\n$poll->multiple used without escaping.\n$aid assigned unsafely at line 90:\n $aid = $this->insert_democratic_answer( $new_free_answer \n$new_free_answer assigned unsafely at line 78:\n $new_free_answer = $id\n$aids[] used without escaping.\n$id used without escaping.

Affected Plugins

Plugins that have instances of this rule violation

Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder

Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder

Unescaped parameter $TS_Poll_Answers_Table used in $wpdb->get_results($wpdb->prepare( "SELECT `id` FROM $TS_Poll_Answers_Table WHERE Question_id = %d", (int) $TS_Poll_Question_Copied ))\n$TS_Poll_Answers_Table assigned unsafely at line 63:\n $TS_Poll_Answers_Table = $wpdb->prefix . 'ts_poll_answers'\n$TS_Poll_Question_Copy assigned unsafely at line 64:\n $TS_Poll_Question_Copy = $wpdb->get_row( $wpdb->prepare( "SELECT `Question_Title`, `Question_Param`, `Question_Style`, `Question_Settings`, `Answers_Sort` FROM $TS_Poll_Question_Table WHERE id = %d", $id ) )\n$TS_Poll_Question_Table assigned unsafely at line 62:\n $TS_Poll_Question_Table = $wpdb->prefix . 'ts_poll_questions'\n$id used without escaping.

Unescaped parameter $TS_Poll_Answers_Table used in $wpdb->get_results($wpdb->prepare( "SELECT `id`, `Question_id`, `Answer_Title`, `Answer_Param` FROM $TS_Poll_Answers_Table WHERE Question_id = %d", $id ))\n$TS_Poll_Answers_Table assigned unsafely at line 63:\n $TS_Poll_Answers_Table = $wpdb->prefix . 'ts_poll_answers'\n$TS_Poll_Question_Copy assigned unsafely at line 64:\n $TS_Poll_Question_Copy = $wpdb->get_row( $wpdb->prepare( "SELECT `Question_Title`, `Question_Param`, `Question_Style`, `Question_Settings`, `Answers_Sort` FROM $TS_Poll_Question_Table WHERE id = %d", $id ) )\n$TS_Poll_Question_Table assigned unsafely at line 62:\n $TS_Poll_Question_Table = $wpdb->prefix . 'ts_poll_questions'\n$id used without escaping.

Unescaped parameter $TS_Poll_Question_Table used in $wpdb->get_row($wpdb->prepare( "SELECT `Question_Title`, `Question_Param`, `Question_Style`, `Question_Settings`, `Answers_Sort` FROM $TS_Poll_Question_Table WHERE id = %d", $id ))\n$TS_Poll_Question_Table assigned unsafely at line 62:\n $TS_Poll_Question_Table = $wpdb->prefix . 'ts_poll_questions'\n$TS_Poll_Answers_Table assigned unsafely at line 63:\n $TS_Poll_Answers_Table = $wpdb->prefix . 'ts_poll_answers'\n$TS_Poll_Question_Copy assigned unsafely at line 64:\n $TS_Poll_Question_Copy = $wpdb->get_row( $wpdb->prepare( "SELECT `Question_Title`, `Question_Param`, `Question_Style`, `Question_Settings`, `Answers_Sort` FROM $TS_Poll_Question_Table WHERE id = %d", $id ) )\n$id used without escaping.