Hi Denio,

The function name should say it all, mssql_get_last_message() returns the
last and only the last message from the server. I'll add an item on my
todo list to implement a mssql_get_server_messages() function tal will
allow you to get all messages from the previous mssql_query() call. This
will only be available in PHP 5 as PHP 4 is closed for new features.

- Frank

> Hello,
> I'm trying to build a demo of SQL Injection (SI) to discuss with my
> students. The idea is to use the live demo to show and discuss how to
> avoid SI using some secure code  techiques.
> I'm using PHP 4.3.11 and MSSQL 80 on a windows XP box. 
> Sometimes a multiline query is submitted to the server, something like
> --------------------
> use sales; select name from users; drop table xxx;
> --------------------
> Note the query above has in fact three queries, each one producing a
> message but the function mssql_get_last_message() aparently doesn't
> return all of them to the user.
> Capturing the packets during the connection (e.g ethereal or tcpdump)
> I can perfectly see all messages returning from the server, like this:
> -----------
> (1) Changed database context to 'sales'
> (2) <result set here>
> (3) Cannot drop the table 'xxx', because it does not exist in the
> system catalog.
> ----------------
> But only the first message is returned from PHP
> Can anyone help me to explain this behavior ?
> Thanks in advance.
> Denio.
> ...................................................................
> Denio Mariz
> Teacher, CEFETPB
> Researcher, GPRT/UFPE, Brazil
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to