Replace Quotes with Escaped Quotes in String
Peter TB Brett
peter.brett at livecode.com
Sat Dec 19 17:21:27 EST 2015
On 2015-12-19 21:09, Brahmanathaswami wrote:
> for closure on this
>
> This works;
>
> if tVisitorsInfo is empty then exit to top
> put getAddresses() into tAddresses
> put tVisitorsInfo into tBody
> replace quote with backslash & quote in tContainer
> put ("echo " & quote & tBody & quote & " | ") into tCmd
> put format ("mail -s \"Visitor Care Notice\" -r
> \"No-Reply at hindu.org\" " & tAddresses) after tCmd
> get shell(tCmd)
>
As I explained in a previous e-mail, please don't do this.
It allows anyone who can affect the contents of tVisitorsInfo to execute
arbitrary code on your server.
It's much safer to put the body in single quotes to protect from shell
expansion. Or put the body into a temporary file and pass it to "mail"
using the "<" shell operator. Or use "open process" for "mail" and
write the body content to the process's standard input. Or, well,
pretty much anything else.
Peter
--
Dr Peter Brett <peter.brett at livecode.com>
LiveCode Open Source Team
LiveCode on reddit! <https://reddit.com/r/livecode>
More information about the use-livecode
mailing list