ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

Instances found

Total Impact

80K

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $column used in $wpdb->get_results("SELECT DISTINCT $column FROM $wpdb->stream")\n$column used without escaping.

Unescaped parameter $count_query used in $wpdb->get_var($count_query)\n$count_query assigned unsafely at line 268:\n $count_query = apply_filters( 'wp_stream_db_count_query', $count_query, $args )\n$count_query assigned unsafely at line 255:\n $count_query = "SELECT COUNT(*) as found\n\t\tFROM $wpdb->stream\n\t\t{$join}\n\t\tWHERE 1=1 {$where}"\n$args used without escaping.\n$join assigned unsafely at line 31:\n $join = ''\n$where assigned unsafely at line 232:\n $where = apply_filters( 'wp_stream_db_query_where', $where )\n$where assigned unsafely at line 162:\n $where .= $wpdb->prepare( " AND $wpdb->stream.%s NOT IN {$format}", $field, $value )\n$format assigned unsafely at line 161:\n $format = '(' . join( ',', array_fill( 0, count( $value ), $type ) ) . ')'\n$type assigned unsafely at line 158:\n $type = is_numeric( array_shift( $value ) ) ? '%d' : '%s'\n$type assigned unsafely at line 130:\n $type = is_numeric( array_shift( $value ) ) ? '%d' : '%s'

Affected Plugins

Plugins that have instances of this rule violation

stream

Unescaped parameter $query used in $wpdb->get_results($query)\n$query assigned unsafely at line 252:\n $query = apply_filters( 'wp_stream_db_query', $query, $args )\n$query assigned unsafely at line 237:\n $query = "SELECT {$select}\n\t\tFROM $wpdb->stream\n\t\t{$join}\n\t\tWHERE 1=1 {$where}\n\t\t{$orderby}\n\t\t{$limits}"\n$args used without escaping.\n$join assigned unsafely at line 31:\n $join = ''\n$where assigned unsafely at line 232:\n $where = apply_filters( 'wp_stream_db_query_where', $where )\n$where assigned unsafely at line 162:\n $where .= $wpdb->prepare( " AND $wpdb->stream.%s NOT IN {$format}", $field, $value )\n$orderby assigned unsafely at line 201:\n $orderby = sprintf( 'ORDER BY %s %s', $orderby, $order )\n$orderby assigned unsafely at line 188:\n $orderby = sprintf( '%s.%s', $wpdb->stream, $args['orderby'] )\n$format assigned unsafely at line 161:\n $format = '(' . join( ',', array_fill( 0, count( $value ), $type ) ) . ')'\n$args['orderby'] used without escaping.\n$type assigned unsafely at line 158:\n $type = is_numeric( array_shift( $value ) ) ? '%d' : '%s'\n$type assigned unsafely at line 130:\n $type = is_numeric( array_shift( $value ) ) ? '%d' : '%s'\n$value used without escaping.