ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

Instances found

Total Impact

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $from used in $wpdb->get_results("SELECT * " .\n "FROM $table_name " .\n "WHERE created_at BETWEEN '" . $from . "' AND '" . $to . "' AND post_id='" . $data[ "post_id" ] . "' AND country_code='" . $data[ 'country_code' ] . "' " .\n "ORDER BY created_at DESC")\n$from assigned unsafely at line 619:\n $from = date ('Y-m-d 00:00:00', strtotime ($data[ "from" ]))\n$data["from"] used without escaping.

Unescaped parameter $from used in $wpdb->get_results("SELECT count(*) as visits_count, DATE(created_at) as visits_date " .\n "FROM $table_name " .\n "WHERE created_at BETWEEN '" . $from . "' AND '" . $to . "' AND post_id='" . $data[ "post_id" ] . "' " .\n "GROUP BY visits_date")\n$from assigned unsafely at line 500:\n $from = date ('Y-m-d 00:00:00', strtotime ($data[ "from" ]))\n$data["from"] used without escaping.

Unescaped parameter $from used in $wpdb->get_results("SELECT count(*) as visits_count, country " .\n "FROM $table_name " .\n "WHERE created_at BETWEEN '" . $from . "' AND '" . $to . "' AND post_id='" . $data[ "post_id" ] . "' " .\n "GROUP BY country " .\n "ORDER BY visits_count DESC " .\n "LIMIT 0,10")\n$from assigned unsafely at line 558:\n $from = date ('Y-m-d 00:00:00', strtotime ($data[ "from" ]))\n$data["from"] used without escaping.

Affected Plugins

Plugins that have instances of this rule violation

WP Post Statistics (Visitors & Visits Counter)

wp-post-real-time-statistics

issues

installs

Unescaped parameter $from used in $wpdb->get_results("SELECT count(distinct ip) as visitors_count, DATE(created_at) as visits_date " .\n "FROM $table_name " .\n "WHERE created_at BETWEEN '" . $from . "' AND '" . $to . "' AND post_id='" . $data[ "post_id" ] . "' " .\n "GROUP BY visits_date")\n$from assigned unsafely at line 500:\n $from = date ('Y-m-d 00:00:00', strtotime ($data[ "from" ]))\n$data["from"] used without escaping.

Unescaped parameter $from used in $wpdb->get_results("SELECT count(id) as visits_count, country, country_code " .\n "FROM $table_name " .\n "WHERE created_at BETWEEN '" . $from . "' AND '" . $to . "' AND post_id='" . $data[ "post_id" ] . "' " .\n "GROUP BY country " .\n "ORDER BY visits_count desc ")\n$from assigned unsafely at line 558:\n $from = date ('Y-m-d 00:00:00', strtotime ($data[ "from" ]))\n$data["from"] used without escaping.