Think about the string that can be constructed in the quoted version - user input could be "; ...;put " where ... is any code you would like...
Sent from my iPhone > On 30 Mar 2018, at 18:09, J. Landman Gay via use-livecode > <use-livecode@lists.runrev.com> wrote: > > These look the same to me. Both versions place content into a variable. Is > the difference because of how the engine evaluates the input somehow? > > -- > Jacqueline Landman Gay | jac...@hyperactivesw.com > HyperActive Software | http://www.hyperactivesw.com >> On March 30, 2018 11:04:54 AM Mark Waddingham via use-livecode >> <use-livecode@lists.runrev.com> wrote: >> >> Using do safely is the same as making database queries safe, or URL requests. >> >> You 'just' need to make sure that any input from outside is sanitized to >> ensure that it doesn't change the meaning of the expression you are 'doing'. >> >> For example, don't interpolate strings directly in the script using quotes, >> use a local var instead: >> >> put user input into tVar1 >> do "put tVar1 into x" -- safe >> >> Rather than >> >> do "put " && quote & user input & quote && "into x" -- not safe >> >> Warmest Regards, >> >> Mark. >> >> Sent from my iPhone >> >> > On 30 Mar 2018, at 16:43, Tom Glod via use-livecode >> > <use-livecode@lists.runrev.com> wrote: >> > >> > Dear Geniuses >> > >> > Sometimes.... late at night just before falling asleep I think about the >> > dangers of the do command. Is it possible to inject code into this >> > mechanism through malware? >> > >> > I do not have enough understanding of operating systems and their processes >> > ...and the livecode engine....to be able to know if its a reasonable >> > question or not. >> > >> > Thanks for any input on this. >> > _______________________________________________ >> > use-livecode mailing list >> > use-livecode@lists.runrev.com >> > Please visit this url to subscribe, unsubscribe and manage your >> > subscription preferences: >> > http://lists.runrev.com/mailman/listinfo/use-livecode >> >> >> _______________________________________________ >> use-livecode mailing list >> use-livecode@lists.runrev.com >> Please visit this url to subscribe, unsubscribe and manage your subscription >> preferences: >> http://lists.runrev.com/mailman/listinfo/use-livecode > > > > > _______________________________________________ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your subscription > preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode _______________________________________________ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
