Zend\Db component in Zend Framework 2 provides platform abstraction, which
is used in particular for SQL abstraction. Two methods defined in the platform
quoteValueList(), allow users to manually quote
values for creating SQL statements; these are in turn consumed by aspects of the
SQL abstraction platform, including
getSqlString() method provided in a number of classes in the
While these methods are primarily intended for debugging and logging purposes,
developers can use them to produce SQL that is then passed to the driver to
execute. Due to a flaw in how the
were written, this can lead to potential SQL injection.
The offending code is located in any of the
quoteValueList() methods. These methods
did not take into account most of the possible escapable characters that would
need to be escaped when attempting to create a quoted value for interpolation
into a SQL string. Moreover, these methods did value quoting without extension
level coordination which, when available, takes character-sets into account when
We have made the following changes to the Platform objects:
quoteValue()to use the driver level quoting/escaping mechanism to provide an "as safe as possible" value.
You are only affected by this as an issue if you directly consume one of the following API's in your code, and execute the results with your database adapter:
Zend\Db and other components that utilize
Zend\Db never directly rely
on interpolation of values into SQL strings. This means that unless you find any
of the above calls in your code, or any code that effectively calls
quoteValue(), this issue does not affect you.
If you do, however, we recommend immediately upgrading to either version 2.0.8 or 2.1.4.
While this advice can be found in many places, it is always worth repeating: you should never rely on interpolation of values into SQL strings; always use prepared statements / parameterization / extension specific value binding.
The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:
Have you identified a security vulnerability?
Please report it to us at firstname.lastname@example.org