Hi, FYI I prepared a patch for jessie, see: https://lists.debian.org/debian-lts/2019/02/msg00164.html
For stretch, it is worth noting that the fix depends on whether mysql or mysqli is enabled, whether open_basedir is in effect, and whether we're protecting against user SQL queries or phpmyadmin-generated queries (during CSV import). (but no more phpX-mysql vs. phpX-mysqlnd AFAICS.) Cheers! Sylvain
