$wpdb->posts, $wpdb->postmeta, $wpdb->prefix etc. are WordPress framework table name properties set during initialization from wp-config.php. They're not user input — they resolve to fixed strings like wp_posts. Concatenating them is the standard WordPress pattern because $wpdb->prepare() can't parameterize SQL identifiers (table/column names).
Possible fixes:
- Use taint mode for these rules, marking $wpdb->posts/postmeta/prefix/... as sanitizers or safe sources
- Add a top-level pattern-not that excludes the entire match when all non-literal sub-expressions are $wpdb-> properties (though semgrep's syntax may not support this
directly)
- Document as known FP in the rule metadata, noting that queries using only $wpdb-> table properties are safe
$wpdb->posts, $wpdb->postmeta, $wpdb->prefix etc. are WordPress framework table name properties set during initialization from wp-config.php. They're not user input — they resolve to fixed strings like wp_posts. Concatenating them is the standard WordPress pattern because $wpdb->prepare() can't parameterize SQL identifiers (table/column names).
Possible fixes:
directly)