Hi Denio, The function name should say it all, mssql_get_last_message() returns the last and only the last message from the server. I'll add an item on my todo list to implement a mssql_get_server_messages() function tal will allow you to get all messages from the previous mssql_query() call. This will only be available in PHP 5 as PHP 4 is closed for new features. - Frank > Hello, > > I'm trying to build a demo of SQL Injection (SI) to discuss with my > students. The idea is to use the live demo to show and discuss how to > avoid SI using some secure code techiques. > > I'm using PHP 4.3.11 and MSSQL 80 on a windows XP box. > > Sometimes a multiline query is submitted to the server, something like this: > -------------------- > use sales; select name from users; drop table xxx; > -------------------- > > Note the query above has in fact three queries, each one producing a > message but the function mssql_get_last_message() aparently doesn't > return all of them to the user. > > Capturing the packets during the connection (e.g ethereal or tcpdump) > I can perfectly see all messages returning from the server, like this: > ----------- > (1) Changed database context to 'sales' > (2) <result set here> > (3) Cannot drop the table 'xxx', because it does not exist in the > system catalog. > ---------------- > > But only the first message is returned from PHP mssql_get_last_message(). > > Can anyone help me to explain this behavior ? > > Thanks in advance. > > > Denio. > > ................................................................... > Denio Mariz > Teacher, CEFETPB > Researcher, GPRT/UFPE, Brazil > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
