logo

Database

SQL injection - Code In zendframework/zendframework1

Description

ZendFramework potential SQL Injection Vector When Using PDO_MySql Developers using non-ASCII-compatible encodings in conjunction with the MySQL PDO driver of PHP may be vulnerable to SQL injection attacks. Developers using ASCII-compatible encodings like UTF8 or latin1 are not affected by this PHP issue, which is described in more detail here:

http://bugs.php.net/bug.php?id=47802 The PHP Group included a feature in PHP 5.3.6+ that allows any character set information to be passed as part of the DSN in PDO to allow both the database as well as the C-level driver to be aware of which charset is in use which is of special importance when PDO's quoting mechanisms are utilized, which Zend Framework also relies on.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GCVE-GHSA-qf36-fx9f-232x

References

1. https://framework.zend.com/security/advisory/ZF2011-022. https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2011-02.yaml3. http://bugs.php.net/bug.php?id=47802

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.