--- commands/sql/sql.drush.inc
+++ commands/sql/sql.drush.inc
@@ -832,6 +832,7 @@ function drush_sql_build_createdb_sql($db_spec, $quoted = FALSE) {
 
 function drush_sql_build_exec($db_spec, $filepath) {
   $scheme = _drush_sql_get_scheme($db_spec);
+  $filepath = drush_escape_path($filepath);
   switch ($scheme) {
     case 'mysql':
       $exec = 'mysql' . (drush_get_context('DRUSH_VERBOSE') ? ' -v' : '');
--- includes/drush.inc
+++ includes/drush.inc
@@ -1342,6 +1342,54 @@ function _drush_escapeshellarg_windows($arg) {
 }
 
 /**
+ * Escape a path for shell use.
+ *
+ * This only works for local commands.
+ * TODO: Make a unified drush_escape_path
+ * that works on Linux and Windows.
+ */
+function drush_escape_path($path) {
+  if (drush_is_windows()) {
+    return _drush_escape_path_windows($path);
+  }
+  else {
+    return _drush_escape_path_linux($path);
+  }
+}
+
+/**
+ * Escape a path for shell use on Windows.
+ */
+function _drush_escape_path_windows($path) {
+  // Escape double quotes.
+  $path = preg_replace('/"/', '\\"', $path);
+
+  // Escape single quotes.
+  $path = preg_replace('/\'/', '\\\'', $path);
+
+  // Add surrounding quotes.
+  $path = '"' . $path . '"';
+
+  return $path;
+}
+
+/**
+ * Escape a path for shell use on Linux.
+ */
+function _drush_escape_path_linux($path) {
+  // Escape whitespaces.
+  $path = preg_replace('/ /', '\\ ', $path);
+
+  // Escape double quotes.
+  $path = preg_replace('/"/', '\\"', $path);
+
+  // Escape single quotes.
+  $path = preg_replace('/\'/', '\\\'', $path);
+
+  return $path;
+}
+
+/**
  * Stores output for the most recent shell command.
  * This should only be run from drush_shell_exec().
  *