CSV files exported from phpMyAdmin could allow a formula injection attack. ¶

It is possible to generate a CSV file that, when imported to a spreadsheet program such as Microsoft Excel, could potentially allow the execution of arbitrary commands.

The CSV files generated by phpMyAdmin could potentially contain text that would be interpreted by a spreadsheet program as a formula, but we do not believe escaping those fields is the proper behavior. There is no means to properly escape and differentiate between a desired text output and a formula that should be escaped, and CSV is a text format where function definitions should not be interpreted anyway. We have discussed this at length and feel it is the responsibility of the spreadsheet program to properly parse and sanitize such data on input instead.

Google also has a similar view.