[On-Rev] Using Shell to Manipulate SQL

Andre Garzia andre at andregarzia.com
Sun Aug 14 03:52:32 EDT 2011


Andrew,

This is a quick email typed on a phone on an aiport so forgive me for not
going to deep.

Basically : don't do it!!!!!

The dangers are too big. You should avoid using shell() with anything that
comes from user input.

If the user chooses a username such as:

" && rm -rf *

And this, in a very unlucky day, is not detected by your security filters
and this ends up in a shell() call, all your files are gone.

Shell calls are very powerful and just like uncle ben said: "with great
power comes great GREAT HACKING ENTRY POINTS AND SCRIPT INJECTION ".

You should only use them with strings that have no part computed from third
parties.

Cheers

--
enviado do meu Nexus S - android is freedom.
http://andregarzia.com :: all we do is code
http://fon.nu :: minimalist url shortening
Em 09/08/2011 04:09, "Andrew Kluthe" <andrew at rjdfarm.com> escreveu:
> Here is another thing I am wondering about this evening.
>
> I am curious as to how much power the Shell() function in an On-Rev
> configuration is. I'd like to create mySQL databases & users on the fly.
>
> I know the shell() function can run commands for you, but do you think I
> will be able to create mysql databases and users as root?
>
>
> Has anyone tried this?
>
> Thanks,
>
> Andrew
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode



More information about the Use-livecode mailing list