Security Advisory

ZF2014-04: Potential SQL injection in the ORDER implementation of Zend_Db_Select

The implementation of the ORDER BY SQL statement in Zend_Db_Select of Zend Framework 1 contains a potential SQL injection when the query string passed contains parentheses.

For instance, the following code is affected by this issue:

$db     = Zend_Db::factory( /* options here */ );
$select = $db->select()
             ->from(array('p' => 'products'))
             ->order('MD5(1); drop table products');
echo $select;

This code produce the string:

SELECT "p".* FROM "products" AS "p" ORDER BY MD5(1);drop table products ASC

instead of the correct one:

SELECT "p".* FROM "products" AS "p" ORDER BY "MD5(1);drop table products" ASC

The SQL injection occurs because we create a new Zend_Db_Expr() object, in presence of parentheses, passing directly the value without any filter on the string.

Action Taken

We fixed the issue in the Zend_Db_Select::order() function using a more granular regular expression to match only SQL functions in an ORDER BY statement, such as ORDER BY ABS("zfproducts"."product_id").

The new regular expression is '/^[\w]*\(.*\)$/' instead of the previous '/\(.*\)/'.

This change fixes the issue, filtering the input using quotes for the previous attack.

The previous SQL example with the fix is rendered in the correct way:

SELECT "p".* FROM "products" AS "p" ORDER BY "MD5(1);drop table products" ASC

The patch is available starting in Zend Framework 1.12.7.

Other Information

This SQL injection attack does not affect Zend Framework 2 versions because the implementation of Zend\Db\Sql\Select::order() does not manage parenthetical expressions.


The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

Reporting Potential Security Issues

If you have encountered a potential security vulnerability in Zend Framework, please report it to us at We will work with you to verify the vulnerability and patch it.

When reporting issues, please provide the following information:

We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.

For sensitive email communications, please use our PGP key.


Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:

Released Thu, 12 June 2014 15:00:00 -0500.

back to advisories