wp-project-manager icon indicating copy to clipboard operation
wp-project-manager copied to clipboard
verified publisher icon weDevsOfficial

Fix WordPress.org plugin review compliance issues

Open Copilot opened this issue 3 months ago • 7 comments

Addresses multiple compliance issues flagged during WordPress.org plugin directory review: security vulnerabilities, i18n issues, escaping problems, remote content offloading, and missing external service documentation.

Security

  • Nonce bypass fix in Wedevs_Promotion.php: Changed from bypassable isset() && !wp_verify_nonce() pattern to proper early-fail check
  • Nonce bypass fix in Offers.php: Applied same consistent early-fail pattern to dismiss_offer() function
// Before: nonce check skipped if $_POST['nonce'] not set
if (isset($_POST['nonce']) && !wp_verify_nonce(...)) { ... }

// After: fails if nonce missing or invalid
if (!isset($_POST['nonce']) || !wp_verify_nonce(...)) { wp_send_json_error(); }

Internationalization

  • Fixed interpolated variables in translation strings (configurations.php)
  • Removed empty string translations (sprintf(__('%s', ...)) → direct escaping)
  • Added ordered placeholders to all notification email subjects (%s%1$s, %2$s)

Escaping

  • Upgrade_2_0.php: json_encode()wp_json_encode()
  • Output.php: Added wp_kses() for HTML output
  • File_Controller.php: Documented binary download exception

Distribution & Documentation

  • Removed composer.json from .distignore (required by WP.org)
  • Added exclusions for vendor/doctrine/deprecations/src/PHPUnit test folders
  • Fixed Requires at least: 4.4 or higher4.4
  • Added External Services section documenting all third-party APIs (OpenAI, Anthropic, Google, Trello, Asana)

Remote Content

  • Replaced offloaded WordPress.org CDN image with local pm-icon.png

Naming Conventions & Code Quality

  • Class prefix fix: Renamed RoleTableSeeder to PM_RoleTableSeeder to comply with WordPress naming conventions requiring plugin prefixes
  • DB prepared statement: Added phpcs ignore comment for false positive in MyTask_Controller.php where $event_query is already properly prepared with $wpdb->prepare()
Original prompt

List of issues found

Warning about potential trademark misuse and avoidance of redundancy.

Your plugin uses the term WP in the plugin name "weDevs Project Manager – AI-Powered Project & Task Manager with Kanban Board & Gantt Chart"

As this is the WordPress.org plugin directory, we discourage the use of names that mention WP.

You don't need to use it to indicate that it's for WordPress, as long as the plugin is in the directory it's already for WordPress, and descriptive names can be more clear about what the plugin does.

Please, even if you see other people breaking the guidelines (and trademark law), do not do so yourself. Repeat violations will result in being banned from hosting code on WordPress.org.

Plugin Name: WP Project Manager

Requires at least value has issues

The "Requires at least" value should be the lowest version of WordPress that the plugin will work on, and be the same when you declare it in the plugin headers and in the plugin readme.

Please update your headers/readme to show that, this would be a stable major version of WordPress. For example if you tested it with WordPress 6.3.2, you would be able to set your value to 6.3 as that's the major release.

The following links will assist you in understanding WordPress's versioning and the version numbering:

https://wordpress.org/download/ https://make.wordpress.org/core/handbook/about/release-cycle/version-numbering/

You cannot set it beyond the current version, as that will cause your plugin not to be available on current installations.

From your plugin: ERROR: Requires at least at readme.txt: "4.4 or higher" is expected to be the lowest WordPress version that the plugin will work on. Example: Requires at least: 6.2 ℹ️ Can't include characters, please include only the major version number.

Using composer but could not find composer.json file

We noticed that your plugin is using Composer to handle library dependencies, that's great as it will help maintaining and updating your plugin in the future while avoiding collisions with other plugins that are using same libraries.

The composer.json file describes the dependencies of your project and may contain other metadata as well. It's a small file that typically can be found in the top-most directory of your plugin.

As one of the strengths of open source is the ability to review, observe, and adapt code, we would like to ask you to include that file in your plugin, even if it is only used for development purposes. This will allow others to exercise the open source freedoms from which we all benefit.

From your plugin: composer.json file not found in "wedevs-project-manager/composer.json"

Included Unneeded Folders

Your plugin contains folders and files that typically shouldn’t be included in a production release. Examples include: Development tools Vendor folders not required for production (bower, node, grunt, etc.) Release scripts Demos files Unit tests

Exceptions to this are: If you're including readable source code to comply with the guidelines, that's fine. You may also link to these resources from your README if you prefer. Configuration files needed to rebuild or obtain assets and libraries should be included (for example, composer.json , package.json , and similar files). These help others review, understand, modify, and yes, fork your code.

You can, and should, safely remove those other unneeded folders from your plugins.

From your plugin: wedevs-project-manager/vendor/doctrine/deprecations/src/PHPUnit

Calling files remotely

Offloading images, js, css, and other scripts to your servers or any remote service (like Google, MaxCDN, jQuery.com etc) is disallowed. When you call remote data you introduce an unnecessary dependency on another site. If the file you're calling isn't a part of WordPress Core, then you should include it -locally- in your plugin, not remotely. If the file IS included in WordPress core, please call that instead.

An exception to this rule is if your plugin is performing a service. We will permit this on a case by case basis. Since this can be confusing we have some examples of what are not permitted: Offloading jquery CSS files to Google - You should include the CSS in your plugin. Inserting an iframe with a help doc - A link, or including the docs in your plugin is preferred. Calling images from your own domain - They should be included in your plugin. Here are some examples of what we would permit: Calling font families from Google or their approved CDN (if GPL compatible) API calls back to your server to process possible spam comments (like Akismet) Offloading comments to your own servers (like Disqus) oEmbed calls to a service provider (like Twitter or YouTube) Please remove external dependencies from your plugin and, if possible, include all files within the plugin (that is not called remotely). If instead you feel you are providing a service, please re-write your readme.txt in a manner that explains the service, the serv...

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot avatar Dec 05 '25 09:12 Copilot

[!IMPORTANT]

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot] avatar Dec 05 '25 09:12 coderabbitai[bot]

@copilot Nonce user permission Should check in every aspect that required for an action

iftakharul-islam avatar Dec 05 '25 10:12 iftakharul-islam

@copilot Nonce user permission Should check in every aspect that required for an action

Applied consistent nonce and permission check pattern to Offers.php::dismiss_offer() as well. Now both promotion dismiss functions use early-fail checks that properly return errors when nonce is missing/invalid or user lacks permission. See commit bc856f4.

Copilot avatar Dec 05 '25 10:12 Copilot

@copilot fix the translaton related issue in the plugin in the api there is a sanitizer option add sanitizer to every api routes and endpoints that have missing sanitizers

iftakharul-islam avatar Dec 05 '25 10:12 iftakharul-islam

@copilot fix the translaton related issue in the plugin in the api there is a sanitizer option add sanitizer to every api routes and endpoints that have missing sanitizers

This is a substantial request. Could you clarify:

  1. Translation issues: Can you point to specific files or lines with translation problems that need fixing?

  2. API sanitizers: Many routes are missing sanitizers. To prioritize, which specific routes need sanitizers most urgently? For example:

    • settings.php routes (AI settings, general settings)
    • user.php routes (user store, save_users_map_name)
    • role.php routes (store, update)
    • trello.php routes (also missing permissions)
    • task.php routes (sorting, attach/detach users, status changes)
    • task-list.php routes (sorting, privacy, attach/detach users)

Should I address all of these or focus on a specific subset first?

Copilot avatar Dec 05 '25 10:12 Copilot

@copilot There is couple of more prepared statement fix needed I've list of them check them and create new pr from this branch and fix them

FILE: db/seeds/RoleTableSeeder.php line column type code message docs 9 1 ERROR WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedClassFound Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: "RoleTableSeeder".

FILE: src/My_Task/Controllers/MyTask_Controller.php line column type code message docs 436 30 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $event_query used in $wpdb->get_results($event_query)\n$event_query assigned unsafely at line 321:\n $event_query = $wpdb->prepare(\n "SELECT tsk.*,\n GROUP_CONCAT(\n DISTINCT\n CONCAT(\n '{',\n '\"', 'meta_key', '\"', ':' , '\"', IFNULL(tskmt.meta_key, '') , '\"', ',',\n '\"', 'meta_value', '\"', ':' , '\"', IFNULL(tskmt.meta_value, '') , '\"'\n ,'}'\n ) SEPARATOR '|'\n ) as task_meta,\n\n GROUP_CONCAT(\n DISTINCT\n CONCAT(\n '{',\n '\"', 'meta_key', '\"', ':' , '\"', IFNULL(boablmt.meta_key, '') , '\"', ',',\n '\"', 'meta_value', '\"', ':' , '\"', IFNULL(boablmt.meta_value, '') , '\"'\n ,'}'\n ) SEPARATOR '|'\n ) as list_meta,\n\n GROUP_CONCAT(\n DISTINCT\n CONCAT(\n '{',\n '\"', 'assigned_to', '\"', ':' , '\"', IFNULL(asins.assigned_to, '') , '\"'\n ,'}'\n ) SEPARATOR '|'\n ) as assignees,\n\n GROUP_CONCAT(\n DISTINCT\n CONCAT(\n IFNULL(sett.value, '')\n ) SEPARATOR '|'\n ) as settings,\n\n GROUP_CONCAT(\n DISTINCT\n CONCAT(\n '{',\n '\"', 'title', '\"', ':' , '\"', IFNULL(pj.title, '') , '\"'\n ,'}'\n ) SEPARATOR '|'\n ) as project,\n\n GROUP_CONCAT(\n DISTINCT\n CONCAT(\n '{',\n '\"', 'board_id', '\"', ':' , '\"', IFNULL(boabl.board_id, '') , '\"'\n ,'}'\n ) SEPARATOR '|'\n ) as boardable,\n\n GROUP_CONCAT(\n DISTINCT\n CONCAT(\n '{',\n '\"', 'id', '\"', ':' , '\"', IFNULL(usr.ID, '') , '\"', ',',\n '\"', 'display_name', '\"', ':' , '\"', IFNULL(usr.display_name, '') , '\"'\n ,'}'\n ) SEPARATOR '|'\n ) as users\n\n FROM {$tb_tasks} as tsk\n\n LEFT JOIN {$tb_boardables} as boabl\n ON (tsk.id=boabl.boardable_id AND boabl.board_type='task_list' AND boabl.boardable_type='task')\n\n LEFT JOIN {$tb_boards} as board\n ON (boabl.board_id=board.id AND board.type='task_list')\n\n LEFT JOIN {$tb_projects} as pj ON (tsk.project_id=pj.id)\n\n -- For getting multipule assignee users in individual task\n LEFT JOIN {$tb_assignees} as asins ON tsk.id=asins.task_id\n\n -- For filter user\n LEFT JOIN {$tb_assignees} as asin ON tsk.id=asin.task_id\n\n -- For getting all users information\n LEFT JOIN {$tb_users} as usr ON asins.assigned_to=usr.ID\n\n LEFT JOIN {$tb_meta} as tskmt\n ON (tsk.id=tskmt.entity_id AND tskmt.entity_type='task')\n\n LEFT JOIN {$tb_meta} as boablmt\n ON ( boabl.board_id=boablmt.entity_id AND boablmt.entity_type='task_list')\n\n LEFT JOIN {$tb_settings} as sett ON pj.id=sett.project_id AND sett.key='capabilities'\n\n WHERE 1=1\n AND\n (\n (tsk.due_date >= %s)\n or\n (tsk.due_date is null and tsk.start_at >= %s)\n or\n (tsk.start_at is null and tsk.due_date >= %s )\n or\n ((tsk.start_at is null AND tsk.due_date is null) and tsk.created_at >= %s)\n )\n AND\n board.id IN ({$boards_id_placeholders})\n {$where_projec_ids}\n\n {$where_users}\n\n GROUP BY(tsk.id)",\n $prepare_params\n )\n$where_projec_ids assigned unsafely at line 173:\n $where_projec_ids = "AND pj.id IN (0)"\n$where_users assigned unsafely at line 182:\n $where_users = " AND asin.assigned_to = %d"\n$project_ids_array assigned unsafely at line 179:\n $project_ids_array = $project_ids\n$meta_key assigned unsafely at line 185:\n $meta_key = pm_user_meta_key()\n$project_ids assigned unsafely at line 154:\n $project_ids = $this->get_current_user_project_ids( $user_id )\n$user_id assigned unsafely at line 138:\n $user_id = get_current_user_id() 436 43 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $event_query

FILE: src/User/Controllers/User_Controller.php line column type code message docs 245 38 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $sql

FILE: src/Task/Controllers/Task_Controller.php line column type code message docs 1080 27 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($query)\n$query assigned unsafely at line 1056:\n $query = "SELECT ibord_id, GROUP_CONCAT( DISTINCT task.task_id order by task.iorder DESC) as itasks_id\n FROM\n (\n SELECT\n itasks.id as task_id,\n ibord.board_id as ibord_id,\n ibord.order as iorder\n FROM\n {$table_task} as itasks\n inner join {$table_ba} as ibord on itasks.id = ibord.boardable_id\n AND ibord.board_id in ({$sanitized_list_ids})\n {$permission_join}\n WHERE\n itasks.status=0\n AND ibord.board_type='task_list'\n AND ibord.boardable_type='task'\n {$not_in_clause}\n {$where}\n order by iorder asc\n\n ) as task\n\n group by ibord_id"\n$permission_join assigned unsafely at line 1045:\n $permission_join = apply_filters( 'pm_incomplete_task_query_join', '', absint( $project_id ) )\n$not_in_clause assigned unsafely at line 1047:\n $not_in_clause = ''\n$where assigned unsafely at line 1046:\n $where = apply_filters( 'pm_incomplete_task_query_where', '', absint( $project_id ) )\n$project_id used without escaping.\n$not_in_tasks used without escaping. 1080 40 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query 1164 27 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($query)\n$query assigned unsafely at line 1140:\n $query = "SELECT ibord_id, GROUP_CONCAT( DISTINCT task.task_id order by task.iorder DESC) as itasks_id\n FROM\n (\n SELECT\n itasks.id as task_id,\n ibord.board_id as ibord_id,\n ibord.order as iorder\n FROM\n {$table_task} as itasks\n inner join {$table_ba} as ibord on itasks.id = ibord.boardable_id\n AND ibord.board_id in ({$sanitized_list_ids})\n {$permission_join}\n WHERE\n itasks.status=1\n AND ibord.board_type='task_list'\n AND ibord.boardable_type='task'\n {$not_in_clause}\n {$where}\n order by iorder asc\n\n ) as task\n\n group by ibord_id"\n$permission_join assigned unsafely at line 1129:\n $permission_join = apply_filters( 'pm_complete_task_query_join', '', absint( $project_id ) )\n$not_in_clause assigned unsafely at line 1131:\n $not_in_clause = ''\n$where assigned unsafely at line 1130:\n $where = apply_filters( 'pm_complete_task_query_where', '', absint( $project_id ) )\n$project_id used without escaping.\n$not_in_tasks used without escaping. 1164 40 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query

FILE: src/Task/Helper/Task.php line column type code message docs 486 27 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($query)\n$query assigned unsafely at line 478:\n $query = $wpdb->prepare( "SELECT board_id as milestone_id, boardable_id as list_id\n\t\t\tFROM {$tb_boardable}\n\t\t\tWHERE {$tb_boardable}.boardable_id IN ($list_format)\n\t\t\tAND {$tb_boardable}.boardable_type = %s\n\t\t\tAND {$tb_boardable}.board_type = %s",\n\t\t\t$format_data\n\t\t)\n$list_format assigned unsafely at line 475:\n $list_format = pm_get_prepare_format( $list_ids )\n$list_ids assigned unsafely at line 464:\n $list_ids = wp_list_pluck( $this->tasks, 'task_list_id' ) 486 40 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query 702 21 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, $query_data ))\n$query assigned unsafely at line 695:\n $query = "SELECT DISTINCT {$tb_meta}.meta_key, {$tb_meta}.meta_value, {$tb_meta}.entity_id as task_id\n\t\t\tFROM {$tb_meta}\n\t\t\tWHERE {$tb_meta}.entity_id IN ($task_format)\n\t\t\tAND {$tb_meta}.entity_type = %s"\n$task_format assigned unsafely at line 692:\n $task_format = pm_get_prepare_format( $this->task_ids ) 702 50 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query 751 27 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, $query_data ))\n$query assigned unsafely at line 746:\n $query ="SELECT sum(estimation) as estimation, parent_id\n FROM {$tb_tasks}\n WHERE parent_id IN ( $tk_ids_format )\n GROUP BY parent_id"\n$tk_ids_format assigned unsafely at line 743:\n $tk_ids_format = $this->get_prepare_format( $this->task_ids ) 751 56 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query 797 21 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, $query_data ))\n$query assigned unsafely at line 790:\n $query = "SELECT DISTINCT bor.order, bor.boardable_id as task_id\n\t\t\tFROM {$tb_boardable} as bor\n\t\t\twhere bor.boardable_id IN ($tk_ids_format)\n\t\t\tAND bor.boardable_type=%s"\n$tk_ids_format assigned unsafely at line 787:\n $tk_ids_format = $this->get_prepare_format( $this->task_ids ) 797 50 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query 832 21 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, $this->task_ids ))\n$query assigned unsafely at line 828:\n $query = "SELECT DISTINCT \n\t\t\tFROM {$tb_tasks}\n\t\t\twhere parent_id IN ($tk_ids_format)"\n$tk_ids_format assigned unsafely at line 826:\n $tk_ids_format = $this->get_prepare_format( $this->task_ids ) 832 50 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query 876 21 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, $this->task_ids ))\n$query assigned unsafely at line 870:\n $query = "SELECT DISTINCT typ.id as type_id, typ.title, typ.description, tk.id as task_id\n\t\t\tFROM {$tb_task_types} as typ\n\t\t\tLEFT JOIN {$tb_task_type_task} as typt ON typ.id = typt.type_id\n\t\t\tLEFT JOIN {$tb_tasks_escaped} as tk ON tk.id = typt.task_id\n\t\t\twhere tk.id IN ($tk_ids_format)"\n$tk_ids_format assigned unsafely at line 868:\n $tk_ids_format = $this->get_prepare_format( $this->task_ids ) 876 50 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query 924 21 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, $this->task_ids ))\n$query assigned unsafely at line 918:\n $query = "SELECT DISTINCT bo.id as id, bo.title, tk.id as task_id\n\t\t\tFROM {$tb_list} as bo\n\t\t\tLEFT JOIN {$tb_boardable} as bor ON bor.board_id = bo.id\n\t\t\tLEFT JOIN {$tb_tasks_escaped} as tk ON tk.id = bor.boardable_id\n\t\t\twhere tk.id IN ($tk_ids_format)"\n$tk_ids_format assigned unsafely at line 916:\n $tk_ids_format = $this->get_prepare_format( $this->task_ids ) 924 50 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query 964 21 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, $this->task_ids ))\n$query assigned unsafely at line 959:\n $query = "SELECT DISTINCT pr.id as project_id, pr.title, tk.id as task_id\n\t\t\tFROM {$tb_project} as pr\n\t\t\tLEFT JOIN {$tb_tasks_escaped} as tk ON tk.project_id = pr.id\n\t\t\twhere tk.id IN ($tk_ids_format)"\n$tk_ids_format assigned unsafely at line 957:\n $tk_ids_format = $this->get_prepare_format( $this->task_ids ) 964 50 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query 1035 21 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, $query_data ))\n$query assigned unsafely at line 1029:\n $query = "SELECT DISTINCT usr.ID as id, usr.display_name, usr.user_email as email, asin.task_id\n\t\t\t\tFROM {$tb_users} as usr\n\t\t\t\tLEFT JOIN {$tb_assignees} as asin ON usr.ID = asin.assigned_to\n\t\t\t\twhere asin.task_id IN ($task_format)"\n$task_format assigned unsafely at line 1015:\n $task_format \t= pm_get_prepare_format( $this->task_ids ) 1035 50 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query 1086 21 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, $query_data ))\n$query assigned unsafely at line 1075:\n $query ="SELECT DISTINCT count({$tb_pm_comments}.id) as comment_count,\n\t\t\t{$tb_tasks}.id as task_id\n\t\t\tFROM {$tb_pm_comments}\n\t\t\tLEFT JOIN {$tb_tasks} ON {$tb_tasks}.id = {$tb_pm_comments}.commentable_id\n\t\t\tWHERE {$tb_tasks}.id IN ($task_format)\n\t\t\tAND {$tb_pm_comments}.commentable_type = %s\n\t\t\tgroup by {$tb_tasks}.id\n\t\t"\n$task_format assigned unsafely at line 1072:\n $task_format = pm_get_prepare_format( $this->task_ids ) 1086 50 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query 1121 21 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, $query_data ))\n$query assigned unsafely at line 1113:\n $query = "SELECT DISTINCT count(fl.id) as count, fl.fileable_id as task_id\n\t\t\tfrom {$tb_pm_files} as fl\n\t\t\twhere fl.fileable_id IN ($task_format)\n\t\t\tAND fl.fileable_type = %s\n\t\t\tgroup by fl.fileable_id"\n$task_format assigned unsafely at line 1110:\n $task_format = pm_get_prepare_format( $this->task_ids ) 1121 50 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query 1335 29 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $format used in $wpdb->get_results($wpdb->prepare( "SELECT boardable_id as list_id\n\t\t\t\tFROM {$tb_boardables}\n\t\t\t\tWHERE board_id IN ($format)\n\n\t\t\t\tAND board_type=%s\n\t\t\t\tAND boardable_type=%s",\n\n\t\t\t\t$format_data\n\t\t\t))\n$format assigned unsafely at line 1332:\n $format = pm_get_prepare_format( $milestone_ids )\n$milestone_ids assigned unsafely at line 1330:\n $milestone_ids = empty( $milestone_ids ) ? [-1] : $milestone_ids\n$milestone_ids assigned unsafely at line 1327:\n $milestone_ids = pm_get_prepare_data( $milestone )\n$milestone assigned unsafely at line 1318:\n $milestone = $this->query_params['milestone'] 1803 21 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($query)\n$query assigned unsafely at line 1780:\n $query = $wpdb->prepare( "SELECT SQL_CALC_FOUND_ROWS DISTINCT {$this->tb_tasks}.,\n\t\t\tlist.id as task_list_id,\n\t\t\tlist.title as task_list_title\n\n\t\t\tFROM {$this->tb_tasks}\n\n\t\t\tLeft join {$boardable} as boardable ON boardable.boardable_id = {$this->tb_tasks}.id\n\t\t\tLeft join {$this->tb_lists} as list ON list.id = boardable.board_id\n\n\t\t\t{$this->join}\n\n\t\t\tWHERE %d=%d {$this->where}\n\n\t\t\tAND boardable.board_type=%s\n\t\t\tAND boardable.boardable_type=%s\n\n\t\t\t{$this->orderby}\n\n\t\t\t{$this->limit}",\n\n\t\t\t1, 1, 'task_list', 'task'\n\t\t) 1803 34 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query

FILE: src/Task_List/Helper/Task_List.php line column type code message docs 180 22 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, ...$query_data ))\n$query assigned unsafely at line 172:\n $query ="SELECT DISTINCT com.id as comment_id, com.commentable_id as list_id\n\t\t\tFROM $tb_comments as com\n\t\t\tWHERE com.commentable_id IN ($list_format)\n\t\t\tAND com.commentable_type = %s\n\t\t"\n$tb_comments assigned unsafely at line 168:\n $tb_comments = pm_tb_prefix() . 'pm_comments'\n$list_format assigned unsafely at line 169:\n $list_format = pm_get_prepare_format( $this->list_ids ) 180 51 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query 239 22 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, ...$query_data ))\n$query assigned unsafely at line 231:\n $query = "SELECT DISTINCT fil.id as file_id,\n\t\t\tfil.fileable_id as list_id\n\t\t\tFROM $tb_files as fil\n\t\t\twhere fil.fileable_id IN ($list_format)\n\t\t\tAND fil.fileable_type=%s"\n$tb_files assigned unsafely at line 227:\n $tb_files = pm_tb_prefix() . 'pm_files'\n$list_format assigned unsafely at line 228:\n $list_format = pm_get_prepare_format( $this->list_ids ) 239 51 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query 303 22 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, ...$query_data ))\n$query assigned unsafely at line 291:\n $query = "SELECT DISTINCT bor.board_id as list_id,\n\t\t\t\tbor.boardable_id as task_id\n\t\t\tFROM $tb_boardable as bor\n\t\t\t\tLEFT JOIN $tb_tasks as tk ON tk.id=bor.boardable_id\n\t\t\twhere 1=1\n\t\t\t\tAND bor.board_id IN ($list_format)\n\t\t\t\tAND bor.board_type=%s\n\t\t\t\tAND bor.boardable_type=%s\n\t\t\t\tAND tk.status=%s"\n$tb_boardable assigned unsafely at line 286:\n $tb_boardable = pm_tb_prefix() . 'pm_boardables'\n$tb_tasks assigned unsafely at line 287:\n $tb_tasks = pm_tb_prefix() . 'pm_tasks'\n$list_format assigned unsafely at line 288:\n $list_format = pm_get_prepare_format( $this->list_ids ) 303 51 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query 367 22 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, ...$query_data ))\n$query assigned unsafely at line 355:\n $query = "SELECT DISTINCT bor.board_id as list_id,\n\t\t\t\tbor.boardable_id as task_id\n\t\t\tFROM $tb_boardable as bor\n\t\t\t\tLEFT JOIN $tb_tasks as tk ON tk.id=bor.boardable_id\n\t\t\twhere 1=1\n\t\t\t\tAND bor.board_id IN ($list_format)\n\t\t\t\tAND bor.board_type=%s\n\t\t\t\tAND bor.boardable_type=%s\n\t\t\t\tAND tk.status=%s"\n$tb_boardable assigned unsafely at line 350:\n $tb_boardable = pm_tb_prefix() . 'pm_boardables'\n$tb_tasks assigned unsafely at line 351:\n $tb_tasks = pm_tb_prefix() . 'pm_tasks'\n$list_format assigned unsafely at line 352:\n $list_format = pm_get_prepare_format( $this->list_ids ) 367 51 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query 427 27 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, ...$query_data ))\n$query assigned unsafely at line 418:\n $query = "SELECT DISTINCT bor.boardable_id as list_id,\n\t\t\tbor.board_id as milestone_id\n\t\t\tFROM $tb_boardable as bor\n\t\t\twhere bor.boardable_id IN ($list_format)\n\t\t\tAND bor.board_type=%s\n\t\t\tAND bor.boardable_type=%s"\n$tb_boardable assigned unsafely at line 414:\n $tb_boardable = pm_tb_prefix() . 'pm_boardables'\n$list_format assigned unsafely at line 415:\n $list_format = pm_get_prepare_format( $this->list_ids ) 427 56 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query 536 27 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, ...$query_data ))\n$query assigned unsafely at line 529:\n $query = "SELECT DISTINCT $tb_meta.meta_key, $tb_meta.meta_value, $tb_meta.entity_id\n FROM $tb_meta\n WHERE $tb_meta.entity_id IN ($tasklist_format)\n AND $tb_meta.entity_type = %s "\n$tb_meta assigned unsafely at line 525:\n $tb_meta = pm_tb_prefix() . 'pm_meta'\n$tasklist_format assigned unsafely at line 526:\n $tasklist_format = pm_get_prepare_format( $this->list_ids ) 536 56 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query 574 21 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, ...$query_data ))\n$query assigned unsafely at line 563:\n $query ="SELECT DISTINCT count($tb_tasks.id) as task_count, $tb_boardable.board_id as list_id\n\t\t\tFROM $tb_tasks\n\t\t\tLEFT JOIN $tb_boardable ON $tb_boardable.boardable_id = $tb_tasks.id\n\t\t\tWHERE $tb_boardable.board_id IN ($tasklist_format)\n\t\t\tAND $tb_boardable.boardable_type=%s\n\t\t\tAND $tb_boardable.board_type=%s\n\t\t\tgroup by $tb_boardable.board_id\n\t\t"\n$tb_tasks assigned unsafely at line 558:\n $tb_tasks = pm_tb_prefix() . 'pm_tasks'\n$tb_boardable assigned unsafely at line 559:\n $tb_boardable = pm_tb_prefix() . 'pm_boardables'\n$tasklist_format assigned unsafely at line 560:\n $tasklist_format = pm_get_prepare_format( $this->list_ids ) 574 50 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query 608 21 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, ...$query_data ))\n$query assigned unsafely at line 597:\n $query ="SELECT DISTINCT count($tb_tasks.id) as task_count, $tb_boardable.board_id as list_id FROM $tb_tasks\n\t\t\tLEFT JOIN $tb_boardable ON $tb_boardable.boardable_id = $tb_tasks.id\n\t\t\tWHERE $tb_boardable.board_id IN ($tasklist_format)\n\t\t\tAND $tb_boardable.boardable_type=%s\n\t\t\tAND $tb_boardable.board_type=%s\n\t\t\tAND $tb_tasks.status = %d\n\t\t\tgroup by $tb_boardable.board_id\n\t\t"\n$tb_tasks assigned unsafely at line 592:\n $tb_tasks = pm_tb_prefix() . 'pm_tasks'\n$tb_boardable assigned unsafely at line 593:\n $tb_boardable = pm_tb_prefix() . 'pm_boardables'\n$tasklist_format assigned unsafely at line 594:\n $tasklist_format = pm_get_prepare_format( $this->list_ids ) 608 50 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query 642 21 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, ...$query_data ))\n$query assigned unsafely at line 631:\n $query ="SELECT DISTINCT count($tb_tasks.id) as task_count, $tb_boardable.board_id as list_id FROM $tb_tasks\n\t\t\tLEFT JOIN $tb_boardable ON $tb_boardable.boardable_id = $tb_tasks.id\n\t\t\tWHERE $tb_boardable.board_id IN ($tasklist_format)\n\t\t\tAND $tb_boardable.boardable_type=%s\n\t\t\tAND $tb_boardable.board_type=%s\n\t\t\tAND $tb_tasks.status = %d\n\t\t\tgroup by $tb_boardable.board_id\n\t\t"\n$tb_tasks assigned unsafely at line 626:\n $tb_tasks = pm_tb_prefix() . 'pm_tasks'\n$tb_boardable assigned unsafely at line 627:\n $tb_boardable = pm_tb_prefix() . 'pm_boardables'\n$tasklist_format assigned unsafely at line 628:\n $tasklist_format = pm_get_prepare_format( $this->list_ids ) 642 50 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query 675 21 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, ...$query_data ))\n$query assigned unsafely at line 665:\n $query ="SELECT DISTINCT count($tb_pm_comments.id) as comment_count,\n\t\t$tb_boards.id as list_id FROM $tb_pm_comments\n\t\t\tLEFT JOIN $tb_boards ON $tb_boards.id = $tb_pm_comments.commentable_id\n\t\t\tWHERE $tb_boards.id IN ($tasklist_format)\n\t\t\tAND $tb_pm_comments.commentable_type = %s\n\t\t\tgroup by $tb_boards.id\n\t\t"\n$tb_pm_comments assigned unsafely at line 660:\n $tb_pm_comments = pm_tb_prefix() . 'pm_comments'\n$tb_boards assigned unsafely at line 661:\n $tb_boards = pm_tb_prefix() . 'pm_boards'\n$tasklist_format assigned unsafely at line 662:\n $tasklist_format = pm_get_prepare_format( $this->list_ids ) 675 50 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query 727 21 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, ...$query_data ))\n$query assigned unsafely at line 715:\n $query ="SELECT DISTINCT count($tb_users.id) as user_count,\n\t\t\t\t$tb_boardable.board_id as list_id\n\t\t\t\tFROM $tb_users\n\t\t\t\t\tLEFT JOIN $tb_boardable ON $tb_boardable.boardable_id = $tb_users.id\n\t\t\t\t\tWHERE $tb_boardable.board_id IN ( $tasklist_format )\n\t\t\t\t\tAND $tb_boardable.board_type = %s\n\t\t\t\t\tAND $tb_boardable.boardable_type = %s\n\t\t\t\t\tgroup by $tb_boardable.board_id\n\t\t\t\t"\n$tb_users assigned unsafely at line 693:\n $tb_users = $wpdb->base_prefix . 'users'\n$tb_boardable assigned unsafely at line 695:\n $tb_boardable = pm_tb_prefix() . 'pm_boardables'\n$tasklist_format assigned unsafely at line 696:\n $tasklist_format = pm_get_prepare_format( $this->list_ids )\n$tb_user_meta assigned unsafely at line 694:\n $tb_user_meta = $wpdb->base_prefix . 'usermeta' 727 50 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query 1013 21 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, 1, 1, 'task_list' ))\n$query assigned unsafely at line 1007:\n $query = "SELECT SQL_CALC_FOUND_ROWS DISTINCT {$this->tb_list}.*\n\t\t\tFROM {$this->tb_list}\n\t\t\t{$this->join}\n\t\t\tWHERE %d=%d {$this->where} AND $this->tb_list.type=%s\n\t\t\t{$this->orderby} {$this->limit} " 1013 50 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query

FILE: src/Settings/Helper/Settings.php line column type code message docs 81 70 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query 93 67 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query 105 68 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query 119 33 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query

FILE: src/File/Helper/File.php line column type code message docs 365 21 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, 1, 1 ))\n$query assigned unsafely at line 359:\n $query = "SELECT SQL_CALC_FOUND_ROWS DISTINCT {$this->tb_file}.*\n\t\t\tFROM {$this->tb_file}\n\t\t\t{$this->join}\n\t\t\tWHERE %d=%d {$this->where} \n\t\t\t{$this->orderby} {$this->limit}" 365 50 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query

FILE: src/Activity/Helper/Activity.php line column type code message docs 636 21 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, 1, 1 ))\n$query assigned unsafely at line 630:\n $query = "SELECT SQL_CALC_FOUND_ROWS DISTINCT {$this->tb_activity}.*\n\t\t\tFROM {$this->tb_activity}\n\t\t\t{$this->join}\n\t\t\tWHERE %d=%d {$this->where}\n\t\t\t{$this->orderby} {$this->limit} " 636 50 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query

FILE: src/Comment/Helper/Comment.php line column type code message docs 229 22 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, $query_data ))\n$query assigned unsafely at line 221:\n $query = "SELECT DISTINCT fil.id as file_id,\n\t\t\tfil.fileable_id as comment_id\n\t\t\tFROM $tb_files as fil\n\t\t\twhere fil.fileable_id IN ($comment_format)\n\t\t\tAND fil.fileable_type=%s"\n$tb_files assigned unsafely at line 217:\n $tb_files = pm_tb_prefix() . 'pm_files'\n$comment_format assigned unsafely at line 218:\n $comment_format = pm_get_prepare_format( $this->comment_ids ) 229 51 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query 431 21 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, 1, 1 ))\n$query assigned unsafely at line 425:\n $query = "SELECT SQL_CALC_FOUND_ROWS DISTINCT {$this->tb_comment}.*\n\t\t\tFROM {$this->tb_comment}\n\t\t\t{$this->join}\n\t\t\tWHERE %d=%d {$this->where} \n\t\t\t{$this->orderby} {$this->limit}" 431 50 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query

FILE: src/Milestone/Helper/Milestone.php line column type code message docs 204 22 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, $query_data ))\n$query assigned unsafely at line 195:\n $query = "SELECT DISTINCT bor.boardable_id as discussion_board_id,\n\t\t\tbor.board_id as milestone_id\n\t\t\tFROM $tb_milestones as bor\n\t\t\twhere bor.board_id IN ($milestone_format)\n\t\t\tAND bor.board_type=%s\n\t\t\tAND bor.boardable_type=%s"\n$tb_milestones assigned unsafely at line 191:\n $tb_milestones = pm_tb_prefix() . 'pm_boardables'\n$milestone_format assigned unsafely at line 192:\n $milestone_format = pm_get_prepare_format( $this->milestone_ids ) 204 51 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query 260 22 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, $query_data ))\n$query assigned unsafely at line 251:\n $query = "SELECT DISTINCT bor.boardable_id as list_id,\n\t\t\tbor.board_id as milestone_id\n\t\t\tFROM $tb_milestones as bor\n\t\t\twhere bor.board_id IN ($milestone_format)\n\t\t\tAND bor.board_type=%s\n\t\t\tAND bor.boardable_type=%s"\n$tb_milestones assigned unsafely at line 247:\n $tb_milestones = pm_tb_prefix() . 'pm_boardables'\n$milestone_format assigned unsafely at line 248:\n $milestone_format = pm_get_prepare_format( $this->milestone_ids ) 260 51 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query 299 21 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, $query_data ))\n$query assigned unsafely at line 292:\n $query = "SELECT DISTINCT mt.meta_value as achieve_date, mt.entity_id as milestone_id\n\t\t\tFROM $tb_meta as mt\n\t\t\twhere mt.entity_id IN ($milestone_format)\n\t\t\tAND mt.meta_key=%s"\n$tb_meta assigned unsafely at line 288:\n $tb_meta = pm_tb_prefix() . 'pm_meta'\n$milestone_format assigned unsafely at line 289:\n $milestone_format = pm_get_prepare_format( $this->milestone_ids ) 299 50 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query 346 21 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, $query_data ))\n$query assigned unsafely at line 336:\n $query = "SELECT DISTINCT count(bor.boardable_id) as total_task_list,\n\t\t\tbor.board_id as milestone_id\n\t\t\tFROM $tb_milestones as bor\n\t\t\twhere bor.board_id IN ($milestone_format)\n\t\t\tAND bor.board_type=%s\n\t\t\tAND bor.boardable_type=%s\n\t\t\tgroup by bor.boardable_id"\n$tb_milestones assigned unsafely at line 332:\n $tb_milestones = pm_tb_prefix() . 'pm_boardables'\n$milestone_format assigned unsafely at line 333:\n $milestone_format = pm_get_prepare_format( $this->milestone_ids ) 346 50 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query 384 21 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, $query_data ))\n$query assigned unsafely at line 374:\n $query = "SELECT DISTINCT count(bor.boardable_id) as total_discussion_board,\n\t\t\tbor.board_id as milestone_id\n\t\t\tFROM $tb_milestones as bor\n\t\t\twhere bor.board_id IN ($milestone_format)\n\t\t\tAND bor.board_type=%s\n\t\t\tAND bor.boardable_type=%s\n\t\t\tgroup by bor.boardable_id"\n$tb_milestones assigned unsafely at line 370:\n $tb_milestones = pm_tb_prefix() . 'pm_boardables'\n$milestone_format assigned unsafely at line 371:\n $milestone_format = pm_get_prepare_format( $this->milestone_ids ) 384 50 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query 419 27 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, $query_data ))\n$query assigned unsafely at line 412:\n $query = "SELECT DISTINCT $tb_meta.meta_key, $tb_meta.meta_value, $tb_meta.entity_id\n FROM $tb_meta\n WHERE $tb_meta.entity_id IN ($milestone_format)\n AND $tb_meta.entity_type = %s "\n$tb_meta assigned unsafely at line 408:\n $tb_meta = pm_tb_prefix() . 'pm_meta'\n$milestone_format assigned unsafely at line 409:\n $milestone_format = pm_get_prepare_format( $this->milestone_ids ) 419 56 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query 621 21 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, 1, 1, 'milestone' ))\n$query assigned unsafely at line 615:\n $query = "SELECT SQL_CALC_FOUND_ROWS DISTINCT {$this->tb_milestone}.*\n\t\t\tFROM {$this->tb_milestone}\n\t\t\t{$this->join}\n\t\t\tWHERE %d=%d {$this->where} AND $this->tb_milestone.type=%s\n\t\t\t{$this->orderby} {$this->limit} " 621 50 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query

FILE: src/User/Helper/User.php line column type code message docs 260 21 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, 1, 1 ))\n$query assigned unsafely at line 254:\n $query = "SELECT SQL_CALC_FOUND_ROWS DISTINCT {$this->tb_user}.*\n\t\t\tFROM {$this->tb_user}\n\t\t\t{$this->join}\n\t\t\tWHERE %d=%d {$this->where} \n\t\t\t{$this->orderby} {$this->limit} " 260 50 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query

FILE: src/Project/Helper/Project.php line column type code message docs 416 21 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $tb_meta used in $wpdb->get_results($wpdb->prepare( "SELECT DISTINCT meta_key, meta_value, project_id\n\t\t\tFROM {$tb_meta}\n\t\t\tWHERE project_id IN ($project_format) \n\t\t\t\tAND entity_type = %s\n\t\t\t\tAND meta_key = %s\n\t\t\t\tAND entity_id = %d", $query_data ))\n$tb_meta assigned unsafely at line 409:\n $tb_meta = $wpdb->prefix . 'pm_meta'\n$current_user_id assigned unsafely at line 410:\n $current_user_id = get_current_user_id() 457 21 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $tb_meta used in $wpdb->get_results($wpdb->prepare( "SELECT DISTINCT $tb_meta.meta_key, $tb_meta.meta_value, $tb_meta.project_id, $tb_meta.entity_id\n\t\t\tFROM $tb_meta\n\t\t\tWHERE $tb_meta.project_id IN ($project_format) \n\t\t\tAND $tb_meta.entity_type = %s", $query_data ))\n$tb_meta assigned unsafely at line 451:\n $tb_meta = pm_tb_prefix() . 'pm_meta' 500 21 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($query)\n$query assigned unsafely at line 491:\n $query = $wpdb->prepare(\n\t\t\t"SELECT DISTINCT COUNT(id) as task_count, project_id \n\t\t\tFROM {$tb_task}\n\t\t\tWHERE project_id IN ($project_format) \n\t\t\tAND status = %d\n\t\t\tGROUP by project_id",\n\t\t\tarray_merge( $query_data, array( 0 ) )\n\t\t)\n$tb_task assigned unsafely at line 487:\n $tb_task = $wpdb->prefix . 'pm_tasks'\n$project_format assigned unsafely at line 488:\n $project_format = pm_get_prepare_format( $this->project_ids ) 500 34 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query 536 21 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, $query_data ))\n$query assigned unsafely at line 528:\n $query = "SELECT DISTINCT COUNT($tb_task.id) as task_count, $tb_task.project_id \n\t\t\tFROM $tb_task\n\t\t\tWHERE $tb_task.project_id IN ($project_format) \n\t\t\tAND $tb_task.status = %d\n\t\t\tGROUP by $tb_task.project_id"\n$tb_task assigned unsafely at line 524:\n $tb_task = pm_tb_prefix() . 'pm_tasks'\n$project_format assigned unsafely at line 525:\n $project_format = pm_get_prepare_format( $this->project_ids ) 536 50 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query 592 21 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $tb_task used in $wpdb->get_results($wpdb->prepare( "SELECT DISTINCT COUNT(pt.id) as task_count, pt.project_id \n\t\t\tFROM $tb_task as pt\n\t\t\tWHERE pt.project_id IN ($project_format)\n\t\t\tGROUP by pt.project_id", $query_data ))\n$tb_task assigned unsafely at line 588:\n $tb_task = pm_tb_prefix() . 'pm_tasks' 697 21 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $tb_comments used in $wpdb->get_results($wpdb->prepare( "SELECT DISTINCT COUNT(pcm.id) as comment_count , project_id\n\t\t\tFROM $tb_comments as pcm\n\t\t\tWHERE pcm.project_id IN ($project_format)\n\t\t\tGROUP BY pcm.project_id", $query_data ))\n$tb_comments assigned unsafely at line 692:\n $tb_comments = pm_tb_prefix() . 'pm_comments' 776 21 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $tb_files used in $wpdb->get_results($wpdb->prepare( "SELECT DISTINCT COUNT(pf.id) as file_count , project_id\n\t\t\tFROM $tb_files as pf\n\t\t\tWHERE pf.project_id IN ($project_format)\n\t\t\tGROUP BY pf.project_id", $query_data ))\n$tb_files assigned unsafely at line 771:\n $tb_files = pm_tb_prefix() . 'pm_files' 814 21 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $tb_activites used in $wpdb->get_results($wpdb->prepare( "SELECT DISTINCT COUNT(pma.id) as activity_count , project_id\n\t\t\tFROM $tb_activites as pma\n\t\t\tWHERE pma.project_id IN ($project_format)\n\t\t\tGROUP BY pma.project_id", $query_data ))\n$tb_activites assigned unsafely at line 809:\n $tb_activites = pm_tb_prefix() . 'pm_activities' 887 21 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $tb_categories used in $wpdb->get_results($wpdb->prepare( "SELECT cats.id as id, cats.title, cats.description, rel.project_id\n\t\t\tFROM $tb_categories as cats\n\t\t\tLEFT JOIN $tb_relation as rel ON rel.category_id = cats.id\n\t\t\twhere rel.project_id IN ($project_format) \n\t\t\tAND cats.categorible_type=%s", $query_data ))\n$tb_categories assigned unsafely at line 878:\n $tb_categories = pm_tb_prefix() . 'pm_categories' 945 21 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $tb_role_project_capabilities used in $wpdb->get_results($wpdb->prepare( "SELECT DISTINCT rp.project_id, rp.role_id, rpc.capability_id\n\t\t\t\tFROM $tb_role_project_capabilities as rpc\n\t\t\t\tLEFT JOIN $tb_role_project as rp ON rp.id = rpc.role_project_id\n\t\t\t\twhere rp.project_id IN ($project_format)", $query_data ))\n$tb_role_project_capabilities assigned unsafely at line 939:\n $tb_role_project_capabilities = pm_tb_prefix() . 'pm_role_project_capabilities' 1031 21 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, $query_data ))\n$query assigned unsafely at line 1025:\n $query = "SELECT DISTINCT usr.ID as id, usr.display_name, usr.user_email as email, asin.project_id, asin.role_id\n\t\t\t\tFROM $tb_users as usr\n\t\t\t\tLEFT JOIN $tb_assignees as asin ON usr.ID = asin.user_id\n\t\t\t\twhere asin.project_id IN ($project_format)"\n$tb_users assigned unsafely at line 1010:\n $tb_users = $wpdb->base_prefix . 'users'\n$tb_assignees assigned unsafely at line 1009:\n $tb_assignees = pm_tb_prefix() . 'pm_role_user'\n$tb_user_meta assigned unsafely at line 1011:\n $tb_user_meta = $wpdb->base_prefix . 'usermeta'\n$project_format assigned unsafely at line 1012:\n $project_format = pm_get_prepare_format( $this->project_ids ) 1031 50 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query 1399 21 ERROR PluginCheck.Security.DirectDB.UnescapedDBParameter Unescaped parameter $query used in $wpdb->get_results($wpdb->prepare( $query, 1, 1 ))\n$query assigned unsafely at line 1390:\n $query = "SELECT SQL_CALC_FOUND_ROWS DISTINCT {$this->tb_project}.*\n\t\t\tFROM \n\t\t\t\t{$this->tb_project}\n\t\t\t\t{$this->join}\n\t\t\tWHERE %d=%d \n\t\t\t\t{$this->where}\n\t\t\t\t{$this->orderby}\n\t\t\t\t{$this->limit}" 1399 50 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query

FILE: src/Task/Transformers/Task_Transformer.php line column type code message docs 105 35 ERROR WordPress.DB.PreparedSQL.NotPrepared Use placeholders and $wpdb->prepare(); found $query

iftakharul-islam avatar Dec 08 '25 12:12 iftakharul-islam

@copilot There is couple of more prepared statement fix needed I've list of them check them and create new pr from this branch and fix them ...

Fixed both issues in commit dc24d52:

  1. RoleTableSeeder class: Renamed to PM_RoleTableSeeder with proper plugin prefix. Updated all references in bootstrap/loaders.php, core/Upgrades/Upgrade.php, core/Upgrades/Upgrade_2_0.php, and core/Installer/Installer.php.

  2. MyTask_Controller.php unescaped parameter: Added phpcs:ignore comment to acknowledge the query is already properly prepared with $wpdb->prepare(). The $event_query variable is assigned from $wpdb->prepare() before being used in $wpdb->get_results(), so the warning is a false positive.

Copilot avatar Dec 08 '25 12:12 Copilot