Brian Milby brian at
Fri Jun 15 21:58:46 EDT 2018

I think that as long as you control the string that is passed to merge you
should be fine.  But if the user were able to directly influence the string
that is passed to merge, then they certainly could inject something.

put the text of field 1 into tMerge
put merge(tMerge) into tDangerousUse
put merge("Field 1 contains: [[tMerge]]") into tSafeUse

So, I think your assumption is correct.

On Fri, Jun 15, 2018 at 8:06 PM, Mike Bonner via use-livecode <
use-livecode at> wrote:

> I just had a thought while pondering some code from another thread.  I have
> done things like put merge("This is a random number: [[random(tNum)]]")
> Since merge can do what do can, is there a way this method could be taken
> advantage of using an injection type of attack?   I'm thinking the answer
> is no, (and I haven't managed to find a way to inject yet,) other than
> allowing a user to build the whole merge string themselves (which would be
> a "bad thing to do" (c))
> Am I wrong?  Is it safe as long as I don't do anything careless?
> _______________________________________________
> use-livecode mailing list
> use-livecode at
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:

More information about the Use-livecode mailing list