From ecd247bf1655a881652ef24ee8ec67137d1b80a9 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Fri, 23 Jan 2026 11:31:15 +0100
Subject: [PATCH] C++: Add MaD models for MySQL escaping

---
 cpp/ql/lib/ext/MySql.model.yml                     | 14 ++++++++++++++
 .../code/cpp/models/implementations/MySql.qll      | 14 --------------
 2 files changed, 14 insertions(+), 14 deletions(-)
 create mode 100644 cpp/ql/lib/ext/MySql.model.yml

diff --git a/cpp/ql/lib/ext/MySql.model.yml b/cpp/ql/lib/ext/MySql.model.yml
new file mode 100644
index 00000000000..93608177efd
--- /dev/null
+++ b/cpp/ql/lib/ext/MySql.model.yml
@@ -0,0 +1,14 @@
+# partial model of the MySQL api
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["", "", False, "mysql_real_escape_string", "", "", "Argument[*2]", "Argument[*1]", "taint", "manual"]
+      - ["", "", False, "mysql_real_escape_string_quote", "", "", "Argument[*2]", "Argument[*1]", "taint", "manual"]
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: barrierModel
+    data: # namespace, type, subtypes, name, signature, ext, output, kind, provenance
+      - ["", "", False, "mysql_real_escape_string", "", "", "Argument[*1]", "sql-injection", "manual"]
+      - ["", "", False, "mysql_real_escape_string_quote", "", "", "Argument[*1]", "sql-injection", "manual"]
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/MySql.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/MySql.qll
index ca5d7020158..b3fc722b0ed 100644
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/MySql.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/MySql.qll
@@ -16,17 +16,3 @@ private class MySqlExecutionFunction extends SqlExecutionFunction {
 
   override predicate hasSqlArgument(FunctionInput input) { input.isParameterDeref(1) }
 }
-
-/**
- * The `mysql_real_escape_string` family of functions from the MySQL C API.
- */
-private class MySqlBarrierFunction extends SqlBarrierFunction {
-  MySqlBarrierFunction() {
-    this.hasName(["mysql_real_escape_string", "mysql_real_escape_string_quote"])
-  }
-
-  override predicate barrierSqlArgument(FunctionInput input, FunctionOutput output) {
-    input.isParameterDeref(2) and
-    output.isParameterDeref(1)
-  }
-}