Mike Bonner bonnmike at
Fri Jun 15 22:20:23 EDT 2018

Cool, thanks!

On Fri, Jun 15, 2018 at 7:58 PM Brian Milby <brian at> wrote:

> I think that as long as you control the string that is passed to merge you
> should be fine.  But if the user were able to directly influence the string
> that is passed to merge, then they certainly could inject something.
> put the text of field 1 into tMerge
> put merge(tMerge) into tDangerousUse
> put merge("Field 1 contains: [[tMerge]]") into tSafeUse
> So, I think your assumption is correct.
> On Fri, Jun 15, 2018 at 8:06 PM, Mike Bonner via use-livecode <
> use-livecode at> wrote:
>> I just had a thought while pondering some code from another thread.  I
>> have
>> done things like put merge("This is a random number: [[random(tNum)]]")
>> Since merge can do what do can, is there a way this method could be taken
>> advantage of using an injection type of attack?   I'm thinking the answer
>> is no, (and I haven't managed to find a way to inject yet,) other than
>> allowing a user to build the whole merge string themselves (which would be
>> a "bad thing to do" (c))
>> Am I wrong?  Is it safe as long as I don't do anything careless?
>> _______________________________________________
>> use-livecode mailing list
>> use-livecode at
>> Please visit this url to subscribe, unsubscribe and manage your
>> subscription preferences:

More information about the Use-livecode mailing list