merge()

Mike Bonner bonnmike at gmail.com
Fri Jun 15 22:20:23 EDT 2018


Cool, thanks!

On Fri, Jun 15, 2018 at 7:58 PM Brian Milby <brian at milby7.com> wrote:

> I think that as long as you control the string that is passed to merge you
> should be fine.  But if the user were able to directly influence the string
> that is passed to merge, then they certainly could inject something.
>
> put the text of field 1 into tMerge
> put merge(tMerge) into tDangerousUse
> put merge("Field 1 contains: [[tMerge]]") into tSafeUse
>
> So, I think your assumption is correct.
>
> On Fri, Jun 15, 2018 at 8:06 PM, Mike Bonner via use-livecode <
> use-livecode at lists.runrev.com> wrote:
>
>> I just had a thought while pondering some code from another thread.  I
>> have
>> done things like put merge("This is a random number: [[random(tNum)]]")
>>
>> Since merge can do what do can, is there a way this method could be taken
>> advantage of using an injection type of attack?   I'm thinking the answer
>> is no, (and I haven't managed to find a way to inject yet,) other than
>> allowing a user to build the whole merge string themselves (which would be
>> a "bad thing to do" (c))
>>
>> Am I wrong?  Is it safe as long as I don't do anything careless?
>> _______________________________________________
>> use-livecode mailing list
>> use-livecode at lists.runrev.com
>> Please visit this url to subscribe, unsubscribe and manage your
>> subscription preferences:
>> http://lists.runrev.com/mailman/listinfo/use-livecode
>>
>
>



More information about the use-livecode mailing list