[On-Rev] Using Shell to Manipulate SQL
andre at andregarzia.com
Sun Aug 14 03:52:32 EDT 2011
This is a quick email typed on a phone on an aiport so forgive me for not
going to deep.
Basically : don't do it!!!!!
The dangers are too big. You should avoid using shell() with anything that
comes from user input.
If the user chooses a username such as:
" && rm -rf *
And this, in a very unlucky day, is not detected by your security filters
and this ends up in a shell() call, all your files are gone.
Shell calls are very powerful and just like uncle ben said: "with great
power comes great GREAT HACKING ENTRY POINTS AND SCRIPT INJECTION ".
You should only use them with strings that have no part computed from third
enviado do meu Nexus S - android is freedom.
http://andregarzia.com :: all we do is code
http://fon.nu :: minimalist url shortening
Em 09/08/2011 04:09, "Andrew Kluthe" <andrew at rjdfarm.com> escreveu:
> Here is another thing I am wondering about this evening.
> I am curious as to how much power the Shell() function in an On-Rev
> configuration is. I'd like to create mySQL databases & users on the fly.
> I know the shell() function can run commands for you, but do you think I
> will be able to create mysql databases and users as root?
> Has anyone tried this?
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
More information about the Use-livecode