Bug #29592 | SQL Injection issue | ||
---|---|---|---|
Submitted: | 6 Jul 2007 8:20 | Modified: | 18 Dec 2007 4:28 |
Reporter: | Yoshinori Matsunobu | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: C API (client library) | Severity: | S2 (Serious) |
Version: | OS: | Any | |
Assigned to: | Davi Arnaut | CPU Architecture: | Any |
[6 Jul 2007 8:20]
Yoshinori Matsunobu
[26 Nov 2007 16:09]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/38532 ChangeSet@1.2588, 2007-11-26 14:09:37-02:00, davi@mysql.com +5 -0 Bug#29592 SQL Injection issue Remove the mysql_odbc_escape_string() function. The function has multi-byte character escaping issues, doesn't honor the NO_BACKSLASH_ESCAPES mode and is not used anymore by the Connector/ODBC as of 3.51.17.
[6 Dec 2007 9:55]
Bugs System
Pushed into 5.0.54
[6 Dec 2007 10:00]
Bugs System
Pushed into 5.1.23-rc
[6 Dec 2007 10:02]
Bugs System
Pushed into 6.0.5-alpha
[18 Dec 2007 4:28]
Paul DuBois
Noted in 5.0.54, 5.1.23, 6.0.5 changelogs. The mysql_odbc_escape_string() C API function has been removed. It has multi-byte character escaping issues, doesn't honor the NO_BACKSLASH_ESCAPES SQL mode and is not needed anymore by Connector/ODBC as of 3.51.17.