Security Advisory - Security - Zend Framework

ZF2016-03: Potential SQL injection in ORDER and GROUP functions of ZF1 The implementation of ORDER BY and GROUP BY in Zend_Db_Select remained prone to SQL injection when a combination of SQL expressions and comments were used. This security patch provides a comprehensive solution that identifies and removes comments prior to checking validity of the statement to ensure no SQLi vectors occur. The i

[gayou]

ZendFramework 1.xの潜在的なSQLインジェクション脆弱性。

[haromitsu]

“onsidered an improvement of the previous ZF2016-02 and ZF2014-04 advisories. As a final consideration, we recommend developers either never use user input for these operations, or filter user input thoroughly prior to invoking Zend_Db. You can use the Zend_Db_Select:”

[ockeghem]

Zend Frameworkの潜在的なSQLインジェクション CVE-2016-4861 の詳しい解説