I'm project lead for Zend Framework, and was involved with the current version of zend.com previous to moving full-time to the Zend Framework team two years ago.
Much of zend.com is powered by third-party software. The SQL injection reported here was never hitting Zend Framework, and certainly not Zend_Db; indeed, if you look at the error messages presented, they are straight from PHP's mysql functions. Zend_Db throws exceptions when it encounters error conditions, which result in much different output than what was dispayed.
The vendors of the third-party software in question issued a patch for the SQL injection, and that patch has since been applied; this is why the issue no longer presents itself. The 404 page presented is standard throughout the site for pages that do not exist.
Zend_Db itself uses prepared queries under the hood, and you have to work pretty hard to bypass this in order to pass unfiltered SQL to the engine. I can say with absolute confidence that those working on the areas of zend.com that utilize Zend Framework are using Zend_Db correctly, and ensuring that only prepared queries are used.
The Zend Framework team will work more closely with those working on zend.com to ensure that security issues like this do not go unpatched.
W
weierophinney
@weierophinney
0
Reputation
1
Posts
12
Profile views
0
Followers
0
Following
Best posts made by weierophinney
This user hasn't posted anything yet.
Latest posts made by weierophinney
-
RE: If the language developers cannot get it right...