Index: driver/execute.c
===================================================================
--- driver/execute.c	(revision 1063)
+++ driver/execute.c	(working copy)
@@ -417,6 +417,7 @@
                 break;
             }
     }
+
     switch ( param->SqlType )
     {
         case SQL_DATE:
@@ -425,7 +426,7 @@
         case SQL_TIMESTAMP:
             if ( data[0] == '{' )       /* Of type {d date } */
                 return add_to_buffer(net,to,data,length);
-            /* else threat as a string */
+            /* else treat as a string */
         case SQL_CHAR:
         case SQL_VARCHAR:
         case SQL_LONGVARCHAR:
@@ -435,15 +436,8 @@
         case SQL_WCHAR:
         case SQL_WVARCHAR:
         case SQL_WLONGVARCHAR:
-            {
-              to= add_to_buffer(net,to,"'",1);
-              /* Make sure we have room for a fully-escaped string. */
-              if (!(to= extend_buffer(net, to, length * 2)))
-                return 0;
-              to+= mysql_real_escape_string(&dbc->mysql, to, data, length);
-              to= add_to_buffer(net, to, "'", 1);
-              return to;
-            }
+            break;
+
         case SQL_TIME:
         case SQL_TYPE_TIME:
             if ( param->CType == SQL_C_TIMESTAMP ||
@@ -485,11 +479,23 @@
                 if ( to == buff )
                     *to++='0';    /* Fix for empty strings */
                 data= buff; length= (uint) (to-buff);
+
+                convert= 0;
+
             }
             /* Fall through */
         default:
+          if (!convert)
             return add_to_buffer(net,to,data,length);
     }
+
+    to= add_to_buffer(net,to,"'",1);
+    /* Make sure we have room for a fully-escaped string. */
+    if (!(to= extend_buffer(net, to, length * 2)))
+      return 0;
+    to+= mysql_real_escape_string(&dbc->mysql, to, data, length);
+    to= add_to_buffer(net, to, "'", 1);
+    return to;
 }
 
 
Index: driver/cursor.c
===================================================================
--- driver/cursor.c	(revision 1063)
+++ driver/cursor.c	(working copy)
@@ -424,13 +424,7 @@
     /* We have to remove zero bytes or we have problems! */
     while ( (*to > orig_to) && (*((*to) - 1) == (SQLCHAR) 0) ) (*to)--;
 
-    /* insert "," */
-    param.SqlType= SQL_INTEGER;
-    param.CType= SQL_C_CHAR;
-    param.buffer= ",";
-    *param.actual_len= 1;
-
-    if ( !(*to= (SQLCHAR*) insert_param(stmt->dbc,(char*) *to, &param)) )
+    if (!(*to= (SQLCHAR *)add_to_buffer(*net, (char *)*to, ",", 1)))
         return set_error(stmt,MYERR_S1001,NULL,4001);
 
     return(SQL_SUCCESS);
@@ -469,8 +463,6 @@
 static SQLRETURN copy_field_data(STMT FAR *stmt, PARAM_BIND *param,
                                  NET **net, SQLCHAR **to)
 {
-    PARAM_BIND dummy;
-    SQLLEN     dummy_len= 5; /* sizeof(" AND ") */
     SQLUINTEGER length= *(param->actual_len)+5;
 
     if ( !(*to= (SQLCHAR*) extend_buffer(*net, (char*) *to,length)) )
@@ -480,12 +472,7 @@
         return set_error(stmt,MYERR_S1001,NULL,4001);
 
     /* Insert " AND ", where clause with multiple search */
-    dummy.SqlType= SQL_INTEGER;
-    dummy.CType= SQL_C_CHAR;
-    dummy.buffer= " AND ";
-    dummy.actual_len= &dummy_len;
-
-    if ( !(*to= (SQLCHAR*) insert_param(stmt->dbc, (char*) *to, &dummy)) )
+    if (!(*to= (SQLCHAR *)add_to_buffer(*net, (char *)*to, " AND ", 5)))
         return set_error(stmt,MYERR_S1001,NULL,4001);
 
     return SQL_SUCCESS;
Index: test/my_result.c
===================================================================
--- test/my_result.c	(revision 1063)
+++ test/my_result.c	(working copy)
@@ -2058,6 +2058,47 @@
 }
 
 
+/**
+ Bug #34575: SQL_C_CHAR value type and numeric parameter type causes trouble
+*/
+DECLARE_TEST(t_bug34575)
+{
+  SQLCHAR buff[10];
+  SQLLEN len= 0;
+  SQLSMALLINT namelen, type, digits, nullable;
+
+  ok_stmt(hstmt, SQLPrepare(hstmt, (SQLCHAR *) "SELECT ?", SQL_NTS));
+  strcpy((char *)buff, "2.0");
+  ok_stmt(hstmt, SQLBindParameter(hstmt, 1, SQL_PARAM_INPUT, SQL_C_CHAR,
+                                  SQL_DECIMAL, 10, 0, buff, sizeof(buff),
+                                  &len));
+
+  /* Note: buff has '2.0', but len is still 0! */
+  ok_stmt(hstmt, SQLExecute(hstmt));
+
+  ok_stmt(hstmt, SQLFetch(hstmt));
+  is_str(my_fetch_str(hstmt, buff, 1), "", 1);
+
+  expect_stmt(hstmt, SQLFetch(hstmt), SQL_NO_DATA);
+
+  strcpy((char *)buff, "2.0");
+  len= 3;
+
+  ok_stmt(hstmt, SQLFreeStmt(hstmt, SQL_CLOSE));
+
+  ok_stmt(hstmt, SQLExecute(hstmt));
+
+  ok_stmt(hstmt, SQLFetch(hstmt));
+  is_str(my_fetch_str(hstmt, buff, 1), "2.0", 4);
+
+  expect_stmt(hstmt, SQLFetch(hstmt), SQL_NO_DATA);
+
+  ok_stmt(hstmt, SQLFreeStmt(hstmt, SQL_CLOSE));
+
+  return OK;
+}
+
+
 BEGIN_TESTS
   ADD_TEST(my_resultset)
   ADD_TEST(t_convert_type)
@@ -2086,6 +2127,7 @@
   ADD_TEST(t_bug13776)
   ADD_TEST(t_bug13776_auto)
   ADD_TEST(t_bug32420)
+  ADD_TEST(t_bug34575)
 END_TESTS
 
 
Index: ChangeLog
===================================================================
--- ChangeLog	(revision 1064)
+++ ChangeLog	(working copy)
@@ -33,6 +33,8 @@
     (Bug #34256)
   * Fixed some incorrect information returned by SQLGetTypeInfo().
     (Bug #30918)
+  * Values bound using the SQL_C_CHAR value type but with numeric
+    parameter type were not correctly escaped. (Bug #34575)
 
 ----