Security Advisory: ZF2014-04

ZF2014-04: Potential SQL injection in the ORDER implementation of Zend_Db_Select

The implementation of the ORDER BY SQL statement in Zend_Db_Select of Zend Framework 1 contains a potential SQL injection when the query string passed contains parentheses.

For instance, the following code is affected by this issue:

$db     = Zend_Db::factory( /* options here */ );
$select = $db->select()
    ->from(array('p' => 'products'))
    ->order('MD5(1); drop table products');
echo $select;

This code produce the string:

SELECT "p".* FROM "products" AS "p" ORDER BY MD5(1);drop table products ASC

instead of the correct one:

SELECT "p".* FROM "products" AS "p" ORDER BY "MD5(1);drop table products" ASC

The SQL injection occurs because we create a new Zend_Db_Expr() object, in presence of parentheses, passing directly the value without any filter on the string.

Action Taken

We fixed the issue in the Zend_Db_Select::order() function using a more granular regular expression to match only SQL functions in an ORDER BY statement, such as ORDER BY ABS("zfproducts"."product_id").

The new regular expression is '/^[\w]*\(.*\)$/' instead of the previous '/\(.*\)/'. This change fixes the issue, filtering the input using quotes for the previous attack.

The previous SQL example with the fix is rendered in the correct way:

SELECT "p".* FROM "products" AS "p" ORDER BY "MD5(1);drop table products" ASC

The patch is available starting in Zend Framework 1.12.7.

Other Information

This SQL injection attack does not affect Zend Framework 2 versions because the implementation of Zend\Db\Sql\Select::order() does not manage parenthetical expressions.


The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

  • Cassiano Dal Pizzol, who discovered the original issue;
  • Lars Kneschke, who analyzed and reported the issue;
  • Enrico Zimuel, who provided the patch.

Released 2014-06-12

Back to advisories

Have you identified a security vulnerability?

Please report it to us at


© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.