BUG#18293 (Values in stored procedures written to binlog unescaped):

Generating character set-independent quoting of strings for the
binary log when executing statements from inside stored procedure.

mysql-test/r/ctype_cp932_binlog.result

@@ -15,3 +15,32 @@ SELECT HEX(f1) FROM t1;
 HEX(f1)
 8300
 DROP table t1;
+CREATE TABLE t4 (s1 CHAR(50) CHARACTER SET latin1,
+s2 CHAR(50) CHARACTER SET cp932,
+d DECIMAL(10,2))|
+CREATE PROCEDURE bug18293 (IN ins1 CHAR(50),
+IN ins2 CHAR(50) CHARACTER SET cp932,
+IN ind DECIMAL(10,2))
+BEGIN
+INSERT INTO t4 VALUES (ins1, ins2, ind);
+END|
+CALL bug18293("Foo's a Bar", _cp932 0xED40ED41ED42, 47.93)|
+SELECT HEX(s1),HEX(s2),d FROM t4|
+HEX(s1)	HEX(s2)	d
+466F6F2773206120426172	ED40ED41ED42	47.93
+DROP PROCEDURE bug18293|
+DROP TABLE t4|
+SHOW BINLOG EVENTS FROM 393|
+Log_name	Pos	Event_type	Server_id	End_log_pos	Info
+master-bin.000001	393	Query	1	556	use `test`; CREATE TABLE t4 (s1 CHAR(50) CHARACTER SET latin1,
+s2 CHAR(50) CHARACTER SET cp932,
+d DECIMAL(10,2))
+master-bin.000001	556	Query	1	801	use `test`; CREATE DEFINER=`root`@`localhost` PROCEDURE bug18293 (IN ins1 CHAR(50),
+IN ins2 CHAR(50) CHARACTER SET cp932,
+IN ind DECIMAL(10,2))
+BEGIN
+INSERT INTO t4 VALUES (ins1, ins2, ind);
+END
+master-bin.000001	801	Query	1	1006	use `test`; INSERT INTO t4 VALUES ( NAME_CONST('ins1',_latin1'Foo\'s a Bar'),  NAME_CONST('ins2',_cp932 0xED40ED41ED42),  NAME_CONST('ind',47.93))
+master-bin.000001	1006	Query	1	1092	use `test`; DROP PROCEDURE bug18293
+master-bin.000001	1092	Query	1	1168	use `test`; DROP TABLE t4

mysql-test/t/ctype_cp932_binlog.test

@@ -32,3 +32,26 @@ DROP table t1;
 # end test for bug#11338
 
 # End of 4.1 tests
+
+#
+# Bug#18293: Values in stored procedure written to binlog unescaped
+#
+
+delimiter |;
+CREATE TABLE t4 (s1 CHAR(50) CHARACTER SET latin1,
+                 s2 CHAR(50) CHARACTER SET cp932,
+                 d DECIMAL(10,2))|
+CREATE PROCEDURE bug18293 (IN ins1 CHAR(50),
+                           IN ins2 CHAR(50) CHARACTER SET cp932,
+                           IN ind DECIMAL(10,2))
+  BEGIN
+    INSERT INTO t4 VALUES (ins1, ins2, ind);
+  END|
+CALL bug18293("Foo's a Bar", _cp932 0xED40ED41ED42, 47.93)|
+SELECT HEX(s1),HEX(s2),d FROM t4|
+DROP PROCEDURE bug18293|
+DROP TABLE t4|
+SHOW BINLOG EVENTS FROM 393|
+delimiter ;|
+
+# End of 5.0 tests

sql/item.cc

@@ -2642,25 +2642,8 @@ const String *Item_param::query_val_str(String* str) const
   case STRING_VALUE:
   case LONG_DATA_VALUE:
     {
-      char *buf, *ptr;
       str->length(0);
-      if (str->reserve(str_value.length()*2+3))
-        break;
-
-      buf= str->c_ptr_quick();
-      ptr= buf;
-      if (value.cs_info.character_set_client->escape_with_backslash_is_dangerous)
-      {
-        ptr= str_to_hex(ptr, str_value.ptr(), str_value.length());
-      }
-      else
-      {
-        *ptr++= '\'';
-        ptr+= escape_string_for_mysql(str_value.charset(), ptr, 0,
-                                      str_value.ptr(), str_value.length());
-        *ptr++='\'';
-      }
-      str->length((uint32) (ptr - buf));
+      append_query_string(value.cs_info.character_set_client, &str_value, str);
       break;
     }
   case NULL_VALUE:

sql/log_event.cc

@@ -239,6 +239,37 @@ char *str_to_hex(char *to, const char *from, uint len)
   return to;                               // pointer to end 0 of 'to'
 }
 
+/*
+  Append a version of the 'from' string suitable for use in a query to
+  the 'to' string.  To generate a correct escaping, the character set
+  information in 'csinfo' is used.
+ */
+#ifndef MYSQL_CLIENT
+int
+append_query_string(CHARSET_INFO *csinfo,
+                    String const *from, String *to)
+{
+  char *beg, *ptr;
+  uint32 const orig_len= to->length();
+  if (to->reserve(orig_len + from->length()*2+3))
+    return 1;
+
+  beg= to->c_ptr_quick() + to->length();
+  ptr= beg;
+  if (csinfo->escape_with_backslash_is_dangerous)
+    ptr= str_to_hex(ptr, from->ptr(), from->length());
+  else
+  {
+    *ptr++= '\'';
+    ptr+= escape_string_for_mysql(from->charset(), ptr, 0,
+                                  from->ptr(), from->length());
+    *ptr++='\'';
+  }
+  to->length(orig_len + ptr - beg);
+  return 0;
+}
+#endif
+
 /*
   Prints a "session_var=value" string. Used by mysqlbinlog to print some SET
   commands just before it prints a query.

sql/mysql_priv.h

@@ -529,6 +529,8 @@ bool delete_precheck(THD *thd, TABLE_LIST *tables);
 bool insert_precheck(THD *thd, TABLE_LIST *tables);
 bool create_table_precheck(THD *thd, TABLE_LIST *tables,
                            TABLE_LIST *create_table);
+int append_query_string(CHARSET_INFO *csinfo,
+                        String const *from, String *to);
 
 void get_default_definer(THD *thd, LEX_USER *definer);
 LEX_USER *create_default_definer(THD *thd);

sql/sp_head.cc

@@ -80,8 +80,8 @@ sp_map_item_type(enum enum_field_types type)
 /*
   Return a string representation of the Item value.
 
-  NOTE: this is a legacy-compatible implementation. It fails if the value
-  contains non-ordinary symbols, which should be escaped.
+  NOTE: If the item has a string result type, the string is escaped
+  according to its character set.
 
   SYNOPSIS
     item    a pointer to the Item
@@ -119,9 +119,9 @@ sp_get_item_value(Item *item, String *str)
 
         buf.append('_');
         buf.append(result->charset()->csname);
-        buf.append('\'');
-        buf.append(*result);
-        buf.append('\'');
+        if (result->charset()->escape_with_backslash_is_dangerous)
+          buf.append(' ');
+        append_query_string(result->charset(), result, &buf);
         str->copy(buf);
 
         return str;