It was discovered that mysql-ocaml, OCaml bindings for MySql, was missing a function to call mysql\_real\_escape\_string(). This is needed, because mysql\_real\_escape\_string() honours the charset of the connection and prevents insufficient escaping, when certain multibyte character encodings are used. The added function is called real\_escape() and takes the established database connection as a first argument. The old escape\_string() was kept for backwards compatibility. Developers using these bindings are encouraged to adjust their code to use the new function. For the oldstable distribution (etch), this problem has been fixed in version 1.0.4-2+etch1. For the stable distribution (lenny), this problem has been fixed in version 1.0.4-4+lenny1. For the testing distribution (squeeze) and the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your mysql-ocaml packages.
[SECURITY] [DSA 1910-1] New mysql-ocaml packages provide secure escaping
pygresql / mysql-ocaml / postgresql-ocaml SQL injection