ERRORsecurity

UnescapedDBParameter

PluginCheck.Security.DirectDB.UnescapedDBParameter

Affected Plugins

On this page

Total Issues

Instances found

Total Impact

10K

Active installations

Examples

Real messages found in scanned plugins

Unescaped parameter $__table used in $wpdb->get_col($wpdb->prepare( "SELECT meta_value FROM $__table WHERE meta_key = %s AND post_id = %d", self::LANGUAGE_META_KEY, $postarr['ID'] ))\n$__table assigned unsafely at line 3479:\n $__table = _get_meta_table( 'post' )

Unescaped parameter $id_column used in $wpdb->get_col($wpdb->prepare( "SELECT $id_column FROM $table WHERE meta_key = %s AND $column = %d", $meta_key, $object_id ))\n$id_column assigned unsafely at line 394:\n $id_column = 'meta_id'\n$table assigned unsafely at line 388:\n $table = _get_meta_table( $meta_type )\n$column assigned unsafely at line 393:\n $column = $meta_type . '_id'\n$raw_meta_key assigned unsafely at line 396:\n $raw_meta_key = $meta_key\n$meta_key used without escaping.

Unescaped parameter $id_column used in $wpdb->get_row($wpdb->prepare( "SELECT $id_column, meta_value FROM $table WHERE meta_key = %s AND $column = %d", $meta_key, $object_id ))\n$id_column assigned unsafely at line 133:\n $id_column = 'meta_id'\n$table assigned unsafely at line 127:\n $table = _get_meta_table( $meta_type )\n$column assigned unsafely at line 132:\n $column = $meta_type . '_id'\n$raw_meta_key assigned unsafely at line 135:\n $raw_meta_key = $meta_key\n$meta_type used without escaping.\n$meta_key used without escaping.

Affected Plugins

Plugins that have instances of this rule violation

WPGlobus – Multilingual WordPress

Unescaped parameter $query used in $wpdb->get_results($query)\n$query assigned unsafely at line 429:\n $query = "SELECT $id FROM $table WHERE 1=1 $post_status $condition"\n$id assigned unsafely at line 418:\n $id = self::$tables[ $order['table'] ]->id_field\n$table assigned unsafely at line 362:\n $table = $wpdb->prefix . $order['table']\n$post_status assigned unsafely at line 382:\n $post_status = "AND post_status REGEXP '" . implode( '|', self::$tables[ $order['table'] ]->post_status ) . "' "\n$condition assigned unsafely at line 409:\n $condition = 'AND ( ' . implode( ' OR ', $temp ) . ' )'\n$tables[$order['table']]->id_field used without escaping.\n$order['table']->id_field used without escaping.\n$order['table'] used without escaping.\n$tables[$order['table']]->post_status used without escaping.\n$order['table']->post_status used without escaping.\n$temp assigned unsafely at line 406:\n $temp[] = "$field REGEXP '$wpg_regexp'"\n$field assigned unsafely at line 399:\n $field = self::$tables[ $order['table'] ]->include_fields[0]\n$wpg_regexp assigned unsafely at line 371:\n $wpg_regexp = '{:[a-z]{2}|[[.[.]]:[a-z]{2}|<!--:[a-z]{2}'\n$tables[$order['table']]->include_fields[0] used without escaping.\n$order['table']->include_fields[0] used without escaping.

Unescaped parameter $query used in $wpdb->query($query)\n$query assigned unsafely at line 291:\n $query = "DELETE FROM $table WHERE `option_id` IN ($set)"\n$table assigned unsafely at line 266:\n $table = $wpdb->prefix . 'options'\n$set assigned unsafely at line 290:\n $set = implode( ',', $records )\n$ids assigned unsafely at line 268:\n $ids = $wpdb->get_results( "SELECT `option_id`, `option_name` FROM `{$wpdb->prefix}options` WHERE `option_name` REGEXP 'wpglobus'", ARRAY_A )\n$records assigned unsafely at line 276:\n $records[] = $record_id\n$record_id used without escaping.