The implementation of the ORDER BY SQL statement in Zend_Db_Select of Zend Framework 1 contains a potential SQL injection when the query string passed contains parentheses, as discussed in http://framework.zend.com/security/advisory/ZF2014-04.