ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

Instances found

Total Impact

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $SQL used in $wpdb->get_col($SQL)\n$SQL assigned unsafely at line 477:\n $SQL .= "WHERE task_id IN(".implode(',',$safe_ids).")"\n$SQL assigned unsafely at line 467:\n $SQL = "SELECT DISTINCT email FROM ".$this->tables['signup']['name']." "\n$results assigned unsafely at line 479:\n $results = $this->wpdb->get_col($SQL)\n$sheet_id used without escaping.\n$TASKSQL assigned unsafely at line 469:\n $TASKSQL = "SELECT id FROM ".$this->tables['task']['name']." WHERE sheet_id = %d"\n$task_ids assigned unsafely at line 471:\n $task_ids = $this->wpdb->get_col($this->wpdb->prepare($TASKSQL , $sheet_id))

Unescaped parameter $SQL used in $wpdb->get_col($this->wpdb->prepare($SQL, $sheet_id))\n$SQL assigned unsafely at line 336:\n $SQL .= "ORDER BY position, id"\n$SQL assigned unsafely at line 334:\n $SQL .= "AND INSTR(`dates`, %s) > 0 "\n$SQL assigned unsafely at line 332:\n $SQL = "SELECT id FROM ".$this->tables['task']['name']." WHERE sheet_id = %d "\n$date used without escaping.\n$results assigned unsafely at line 340:\n $results = $this->wpdb->get_col($this->wpdb->prepare($SQL, $sheet_id))\n$sheet_id used without escaping.

Unescaped parameter $SQL used in $wpdb->get_col($this->wpdb->prepare($SQL, $sheet_id))\n$SQL assigned unsafely at line 368:\n $SQL = "SELECT DISTINCT dates FROM ".$this->tables['task']['name']." WHERE sheet_id = %d"\n$results assigned unsafely at line 369:\n $results = $this->wpdb->get_col($this->wpdb->prepare($SQL, $sheet_id))\n$sheet_id used without escaping.

Affected Plugins

Plugins that have instances of this rule violation

Volunteer Sign Up Sheets

pta-volunteer-sign-up-sheets

Unescaped parameter $SQL used in $wpdb->get_col($this->wpdb->prepare($SQL, $sheet_id, $date))\n$SQL assigned unsafely at line 336:\n $SQL .= "ORDER BY position, id"\n$SQL assigned unsafely at line 334:\n $SQL .= "AND INSTR(`dates`, %s) > 0 "\n$SQL assigned unsafely at line 332:\n $SQL = "SELECT id FROM ".$this->tables['task']['name']." WHERE sheet_id = %d "\n$date used without escaping.\n$results assigned unsafely at line 338:\n $results = $this->wpdb->get_col($this->wpdb->prepare($SQL, $sheet_id, $date))\n$sheet_id used without escaping.

Unescaped parameter $SQL used in $wpdb->get_results($this->wpdb->prepare($SQL , $task_id))\n$SQL assigned unsafely at line 419:\n $SQL .= " ORDER by id"\n$SQL assigned unsafely at line 417:\n $SQL .= "AND date = %s"\n$SQL assigned unsafely at line 415:\n $SQL = "SELECT * FROM ".$this->tables['signup']['name']." WHERE task_id = %d "\n$date used without escaping.\n$results assigned unsafely at line 423:\n $results = $this->wpdb->get_results($this->wpdb->prepare($SQL , $task_id))\n$task_id assigned unsafely at line 413:\n $task_id = $task_id->id\n$task_id->id used without escaping.