Developers using non-ASCII-compatible encodings in conjunction with the MySQL PDO driver of PHP may be vulnerable to SQL injection attacks. Developers using ASCII-compatible encodings like UTF8 or latin1 are not affected by this PHP issue, which is described in more detail here:
The PHP Group included a feature in PHP 5.3.6+ that allows any character set information to be passed as part of the DSN in PDO to allow both the database as well as the C-level driver to be aware of which charset is in use which is of special importance when PDO's quoting mechanisms are utilized, which Zend Framework also relies on.
Zend_Db was patched to ensure that any charset information provided to the PDO
MySQL adapter will be sent to PDO both as part of the DSN as well as in a SET
NAMES query. This ensures that any developer using ZF on PHP 5.3.6+ while using
non-ASCII compatible encodings is safe from SQL injection while using the PDO's
quoting mechanisms or emulated prepared statements.
The patch has been applied starting in versions 1.11.6 and 1.10.9 of Zend Framework.
If you are using non-ASCII compatible encodings, such as GBK, in conjunction with PDO's MySQL adapter, we strongly urge you to consider upgrading to at least PHP 5.3.6 and use Zend Framework version 1.11.6 or greater, or 1.10.9 if still using the 1.10 series of releases.
The Zend Framework team thanks the following for working with us to help protect its users:
Released 2011-05-07
Have you identified a security vulnerability?
Please report it to us at zf-security@zend.com