Security Advisory

ZF2013-03: Potential SQL injection due to execution of platform-specific SQL containing interpolations

The Zend\Db component in Zend Framework 2 provides platform abstraction, which is used in particular for SQL abstraction. Two methods defined in the platform interface, quoteValue() and quoteValueList(), allow users to manually quote values for creating SQL statements; these are in turn consumed by aspects of the SQL abstraction platform, including Zend\Db\Sql\Sql::getSqlStringForSqlObject(), and the getSqlString() method provided in a number of classes in the Zend\Db\Sql namespace.

While these methods are primarily intended for debugging and logging purposes, developers can use them to produce SQL that is then passed to the driver to execute. Due to a flaw in how the quoteValue() and quoteValueList() methods were written, this can lead to potential SQL injection.

The offending code is located in any of the Zend\Db\Adapter\Platform* objects, particularly the quoteValue() and quoteValueList() methods. These methods did not take into account most of the possible escapable characters that would need to be escaped when attempting to create a quoted value for interpolation into a SQL string. Moreover, these methods did value quoting without extension level coordination which, when available, takes character-sets into account when quoting.

Action Taken

We have made the following changes to the Platform objects:

Recommendations

You are only affected by this as an issue if you directly consume one of the following API's in your code, and execute the results with your database adapter:

ZF2's Zend\Db and other components that utilize Zend\Db never directly rely on interpolation of values into SQL strings. This means that unless you find any of the above calls in your code, or any code that effectively calls quoteValue(), this issue does not affect you.

If you do, however, we recommend immediately upgrading to either version 2.0.8 or 2.1.4.

While this advice can be found in many places, it is always worth repeating: you should never rely on interpolation of values into SQL strings; always use prepared statements / parameterization / extension specific value binding.

Other Information

Acknowledgments

The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

Reporting Potential Security Issues

If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.

When reporting issues, please provide the following information:

We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.

For sensitive email communications, please use our PGP key.

Policy

Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:

back to advisories