do. command. safety. ?

Mark Waddingham mark at livecode.com
Fri Mar 30 19:15:32 CEST 2018


Think about the string that can be constructed in the quoted version - user input could be "; ...;put " where ... is any code you would like...

Sent from my iPhone

> On 30 Mar 2018, at 18:09, J. Landman Gay via use-livecode <use-livecode at lists.runrev.com> wrote:
> 
> These look the same to me. Both versions place content into a variable. Is the difference because of how the engine evaluates the input somehow?
> 
> --
> Jacqueline Landman Gay | jacque at hyperactivesw.com
> HyperActive Software | http://www.hyperactivesw.com
>> On March 30, 2018 11:04:54 AM Mark Waddingham via use-livecode <use-livecode at lists.runrev.com> wrote:
>> 
>> Using do safely is the same as making database queries safe, or URL requests.
>> 
>> You 'just' need to make sure that any input from outside is sanitized to ensure that it doesn't change the meaning of the expression you are 'doing'.
>> 
>> For example, don't interpolate strings directly in the script using quotes, use a local var instead:
>> 
>> put user input into tVar1
>> do "put tVar1 into x" -- safe
>> 
>> Rather than
>> 
>> do "put " && quote & user input & quote && "into x" -- not safe
>> 
>> Warmest Regards,
>> 
>> Mark.
>> 
>> Sent from my iPhone
>> 
>> > On 30 Mar 2018, at 16:43, Tom Glod via use-livecode <use-livecode at lists.runrev.com> wrote:
>> >
>> > Dear Geniuses
>> >
>> > Sometimes.... late at night just before falling asleep I think about the
>> > dangers of the do command.  Is it possible to inject code into this
>> > mechanism through malware?
>> >
>> > I do not have enough understanding of operating systems and their processes
>> > ...and the livecode engine....to be able to know if its a reasonable
>> > question or not.
>> >
>> > Thanks for any input on this.
>> > _______________________________________________
>> > use-livecode mailing list
>> > use-livecode at lists.runrev.com
>> > Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
>> > http://lists.runrev.com/mailman/listinfo/use-livecode
>> 
>> 
>> _______________________________________________
>> use-livecode mailing list
>> use-livecode at lists.runrev.com
>> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
>> http://lists.runrev.com/mailman/listinfo/use-livecode
> 
> 
> 
> 
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode




More information about the use-livecode mailing list