sqlsrv PHP extension, which provides the ability to connect to Microsoft
SQL Server from PHP, does not provide a built-in quoting mechanism for manually
quoting values to pass via SQL queries; developers are encouraged to use
prepared statements. Zend Framework provides quoting mechanisms via Zend
Zend_Db_Adapter_Sqlsrv and Zend Framework 2's
Zend\Db\Adapter\Platform\SqlServer classes; these traditionally use the
recommended "double single quote" (
'') as quoting delimiters.
SQL Server treats null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection.
Developers using the relevant
PDO_Sqlsrv adapter in any version of Zend
Framework are not vulnerable to this attack, as PDO provides a native quoting
mechanism that prevents the attack vector.
When quoting values for SQL server, we now pass them to PHP's addcslashes function to sanitize and properly quote null bytes:
$value = addcslashes($value, "\000\032");
This action quotes null bytes, preventing SQL injection vectors.
The following releases contain the fixes:
If you are using an affected version of PHP, and utilizing the sqlsrv PHP extensio within Zend Framework, we highly recommend upgrading immediately.
The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:
Zend_Db_Adapter_Sqlsrvcomponent of ZF1;
Have you identified a security vulnerability?
Please report it to us at firstname.lastname@example.org