Executing PHP Code from MSSQL table

[Danux <danuxx () gmail com>]

Hi, after testing a PHP-MSSQL app, i am able to insert and update
tables but i can't execute store_procedures, so, i was wondering if
its possible to update a table putting something like: "phpinfo()" or
(passthru("ipconfig")) in order to execute while loading the page?

I mean:

inside the html page the images are taken from database so... in a
black box perspective a think is something like: <img src=$img> and i
know where is the table which reads this image name, then i can update
the table and instead of read something like $img = picture.gif, reads
some thing like "phpinfo();". but as you know this is only a string,
even though if i update the table with: eval("phpinfo();") its also a
string .... so it dont get executed!!

So, i would like you help me, what can i do if i am able to insert,
create and update tables but unable to run store procedures, or bulk
or bcp!!!!!

Thanks!!!

-- 
Danux, CISSP
Chief Information Security Officer
Macula Security Consulting Group
www.macula-group.com

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------