Bug #56131 UPDATE query allows AND (before WHERE) between fields and consequently
Submitted: 20 Aug 2010 1:42 Modified: 20 Aug 2010 2:01
Reporter: Vinni Boss Email Updates:
Status: Duplicate Impact on me:
None 
Category:MySQL Server: DML Severity:S2 (Serious)
Version: OS:Any
Assigned to: CPU Architecture:Any
Tags: UPDATE, UPDATE ERROR, update error warning

[20 Aug 2010 1:42] Vinni Boss 
Description:
Update query allows AND instead of "comma" to separate fields and behaves oddly. Update query shouldn't have compiled and should have thrown an error message.

There might be ways to exploit this, but I cannot think of anything right now so have not selected the security vulnerability 

How to repeat:
On any multi-field table
1) Run an UPDATE query which is in the following format
   UPDATE Table1 SET Field1 = 'Value1' AND Field2 = 'Value2' AND Field3 = now() WHERE Field3 = 'Value3';
2) This will not return any error, should return true as in success.

When I was trying out Field1 was of string type and Field2 was integer. Field1 ended up with "0" in its value rather than "Value1" though the other Field set was fine. And the second time I tried this same query and it kept returning true but didnt do anything.

Suggested fix:
Make sure the MYSQL compiler throws an error when AND is used before where.
[20 Aug 2010 2:01] MySQL Verification Team 
Thank you for the bug report. Duplicate of http://bugs.mysql.com/bug.php?id=45651.