Hi Clint, I just put another 3 hours into it: The bug happens in this source code line: if(passwd_len>255) { passwd[255] = '\0'; } of php_mssql_do_connect. I found this out by disassembling the code in the core dump: Dump of assembler code for function php_mssql_do_connect: 0x00007f1d4804c330 <+0>: push %r14 0x00007f1d4804c332 <+2>: push %r13 0x00007f1d4804c334 <+4>: push %r12 0x00007f1d4804c336 <+6>: mov %r9d,%r12d 0x00007f1d4804c339 <+9>: push %rbp 0x00007f1d4804c33a <+10>: mov %edi,%ebp 0x00007f1d4804c33c <+12>: push %rbx 0x00007f1d4804c33d <+13>: mov %rsi,%rbx 0x00007f1d4804c340 <+16>: lea 0x2ef8(%rip),%rsi # 0x7f1d4804f23f 0x00007f1d4804c347 <+23>: sub $0xc0,%rsp 0x00007f1d4804c34e <+30>: mov %fs:0x28,%rax 0x00007f1d4804c357 <+39>: mov %rax,0xb8(%rsp) 0x00007f1d4804c35f <+47>: xor %eax,%eax 0x00007f1d4804c361 <+49>: lea 0x8f(%rsp),%rax 0x00007f1d4804c369 <+57>: lea 0x88(%rsp),%rcx 0x00007f1d4804c371 <+65>: lea 0x78(%rsp),%rdx 0x00007f1d4804c376 <+70>: lea 0x84(%rsp),%r9 0x00007f1d4804c37e <+78>: lea 0x70(%rsp),%r8 0x00007f1d4804c383 <+83>: movq $0x0,0x78(%rsp) 0x00007f1d4804c38c <+92>: mov %rax,0x10(%rsp) 0x00007f1d4804c391 <+97>: lea 0x80(%rsp),%rax 0x00007f1d4804c399 <+105>: movq $0x0,0x70(%rsp) 0x00007f1d4804c3a2 <+114>: movq $0x0,0x68(%rsp) 0x00007f1d4804c3ab <+123>: movb $0x0,0x8f(%rsp) 0x00007f1d4804c3b3 <+131>: mov %rax,0x8(%rsp) 0x00007f1d4804c3b8 <+136>: lea 0x68(%rsp),%rax 0x00007f1d4804c3bd <+141>: mov %rax,(%rsp) 0x00007f1d4804c3c1 <+145>: xor %eax,%eax 0x00007f1d4804c3c3 <+147>: callq 0x7f1d4804a768 0x00007f1d4804c3c8 <+152>: cmp $0xffffffffffffffff,%eax 0x00007f1d4804c3cb <+155>: je 0x7f1d4804c7b3 0x00007f1d4804c3d1 <+161>: cmpl $0xff,0x88(%rsp) 0x00007f1d4804c3dc <+172>: jle 0x7f1d4804c3ea 0x00007f1d4804c3de <+174>: mov 0x78(%rsp),%rax 0x00007f1d4804c3e3 <+179>: movb $0x0,0xff(%rax) 0x00007f1d4804c3ea <+186>: cmpl $0xff,0x84(%rsp) 0x00007f1d4804c3f5 <+197>: jle 0x7f1d4804c403 0x00007f1d4804c3f7 <+199>: mov 0x70(%rsp),%rax 0x00007f1d4804c3fc <+204>: movb $0x0,0xff(%rax) 0x00007f1d4804c403 <+211>: cmpl $0xff,0x80(%rsp) 0x00007f1d4804c40e <+222>: jle 0x7f1d4804c41c 0x00007f1d4804c410 <+224>: mov 0x68(%rsp),%rax => 0x00007f1d4804c415 <+229>: movb $0x0,0xff(%rax) 0x00007f1d4804c41c <+236>: cmp $0x4,%ebp 0x00007f1d4804c41f <+239>: jbe 0x7f1d4804c7e0 0x00007f1d4804c425 <+245>: cmpq $0x0,0x60(%rsp) 0x00007f1d4804c42b <+251>: lea 0x2e3a(%rip),%rdx # 0x7f1d4804f26c 0x00007f1d4804c432 <+258>: je 0x7f1d4804c92f 0x00007f1d4804c438 <+264>: mov 0x206d2a(%rip),%edi # 0x7f1d48253168 0x00007f1d4804c43e <+270>: callq 0x7f1d4804a508 0x00007f1d4804c443 <+275>: mov 0x206d27(%rip),%edi # 0x7f1d48253170 0x00007f1d4804c449 <+281>: callq 0x7f1d4804a468 0x00007f1d4804c44e <+286>: callq 0x7f1d4804a788 Having this hint, I checked the code of the PHP-script which was: define ("MSSQL_SERVER", "www"); define ("MSSQL_USER", "xxx"); define ("MSSQL_PASSWORD", "yyy"); define ("MSSQL_DATABASE", "zzz"); mssql_connect(MSSQL_SERVER, MSSQL_USER, MSSQL_PASSWORD); mssql_select_db(MSSQL_DATABASE); So there was no error checking. In fact the hostname of the server was wrong, this is why the connection did not succeed. After I fixed the hostname, the code ran without the segmentation fault. It made no difference, if I use "define" or put in the values for the connection als strings. So the bug is triggered, if the hostname for mssql_connect does not exist.