The PDO adapters of Zend Framework 1 did not filter null bytes values in
SQL statements. A PDO adapter can treat null bytes in a query as a
string terminator, allowing an attacker to add arbitrary SQL following a
null byte, and thus create a SQL injection.
For Debian 6 Squeeze, this issue has been fixed in zendframework
version 1.10.6-1squeeze6.