Bug #29592 SQL Injection issue
Submitted: 6 Jul 2007 8:20 Modified: 18 Dec 2007 4:28
Reporter: Yoshinori Matsunobu Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: C API (client library) Severity:S2 (Serious)
Version: OS:Any
Assigned to: Davi Arnaut CPU Architecture:Any
Triage: D3 (Medium)

[6 Jul 2007 8:20] Yoshinori Matsunobu
Description:
all my notes go into "Private comment"

How to repeat:
in "Private comment"
[26 Nov 2007 16:09] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/38532

ChangeSet@1.2588, 2007-11-26 14:09:37-02:00, davi@mysql.com +5 -0
  Bug#29592 SQL Injection issue
  
  Remove the mysql_odbc_escape_string() function. The function
  has multi-byte character escaping issues, doesn't honor the
  NO_BACKSLASH_ESCAPES mode and is not used anymore by the
  Connector/ODBC as of 3.51.17.
[6 Dec 2007 9:55] Bugs System
Pushed into 5.0.54
[6 Dec 2007 10:00] Bugs System
Pushed into 5.1.23-rc
[6 Dec 2007 10:02] Bugs System
Pushed into 6.0.5-alpha
[18 Dec 2007 4:28] Paul Dubois
Noted in 5.0.54, 5.1.23, 6.0.5 changelogs.

The mysql_odbc_escape_string() C API function has been removed. It
has multi-byte character escaping issues, doesn't honor the
NO_BACKSLASH_ESCAPES SQL mode and is not needed anymore by
Connector/ODBC as of 3.51.17.