Security Advisory: AG2014-01

AG2014-01: Potential Database Injection Vector in DB-Connected REST Services

zf-apigility contains a class, ZF\Apigility\DbConnectedResource, used by all DB-Connected REST services for prototyping web services that write to a database table, or for simple CRUD-style web services.

This class was correctly pulling data from the composed input filter, if any, for create() operations. However, it was not doing so for update() and patch() operations, leading to the potential for unfiltered data to make its way to the database.

Note, however, that this is not a SQL injection vulnerability, as database updates were still using the underlying database abstraction layer. However, in cases where values are expected to be normalized, unfiltered versions could enter the database; additionally, if any data not matching existing database columns were provided, database errors could occur.

Action Taken

Each of the create(), update(), and patch() operations in the ZF\Apigility\DbConnectedResource class were updated to always pull data from the composed input filter when present.

The following releases contain the fixes:

  • zf-apigility 1.0.2
  • Apigility (zf-apigility-skeleton) 1.0.3

Other Information


The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

Released 2014-06-05

Back to advisories

Have you identified a security vulnerability?

Please report it to us at


© 2006-2018 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.