MySql Stored Procedures Parameter Escaping

Question

I came across something odd that I feel is to blatant to be a bug so I am guessing that I am doing something wrong: I have the following Table:

CREATE TABLE BlurbTest
(   
     ID      SERIAL NOT NULL
    ,Blurb   TEXT NOT NULL
);

With the following stored proc:

DELIMITER $$

CREATE PROCEDURE spInsertBlurbTest
(
     OUT ID INT
    ,IN  BlurbParm TEXT
)
BEGIN
    INSERT INTO BlurbTest(
     Blurb
    ) VALUES (
     BlurbParm
    );
    SET ID = LAST_INSERT_ID();
END$$

DELIMITER ;

and the following C# code:

using (var conn = new MySqlConnection(Settings.ConnectionString))
{
    conn.Open();
    using (var cmd = conn.CreateCommand())
    {
     cmd.CommandText = "spInsertBlurbTest";
     cmd.CommandType = CommandType.StoredProcedure;
     MySqlCommandBuilder.DeriveParameters(cmd);
     cmd.Parameters["@BlurbParm"].Value = "let's do it";
     cmd.ExecuteNonQuery(); // Throws Exception
    }
}

Which is throwing an exception with the following message. {"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's do it')' at line 1"}

Now, correct me if I am wrong, but is this not exactly the type of problem that stored procedures and parameters are intended to solve in order to aid against injection attacks?

Or am I doing something wrong here?

Answer 1

You're right, but the driver may not be correctly escaping these characters. Is this yours?

http://bugs.mysql.com/bug.php?id=48247