do. command. safety. ?

[J. Landman Gay]

These look the same to me. Both versions place content into a variable. Is 
the difference because of how the engine evaluates the input somehow?

--
Jacqueline Landman Gay | jacque at hyperactivesw.com
HyperActive Software | http://www.hyperactivesw.com
On March 30, 2018 11:04:54 AM Mark Waddingham via use-livecode 
<use-livecode at lists.runrev.com> wrote:

> Using do safely is the same as making database queries safe, or URL requests.
>
> You 'just' need to make sure that any input from outside is sanitized to 
> ensure that it doesn't change the meaning of the expression you are 'doing'.
>
> For example, don't interpolate strings directly in the script using quotes, 
> use a local var instead:
>
> put user input into tVar1
> do "put tVar1 into x" -- safe
>
> Rather than
>
> do "put " && quote & user input & quote && "into x" -- not safe
>
> Warmest Regards,
>
> Mark.
>
> Sent from my iPhone
>
> > On 30 Mar 2018, at 16:43, Tom Glod via use-livecode 
> <use-livecode at lists.runrev.com> wrote:
> >
> > Dear Geniuses
> >
> > Sometimes.... late at night just before falling asleep I think about the
> > dangers of the do command.  Is it possible to inject code into this
> > mechanism through malware?
> >
> > I do not have enough understanding of operating systems and their processes
> > ...and the livecode engine....to be able to know if its a reasonable
> > question or not.
> >
> > Thanks for any input on this.
> > _______________________________________________
> > use-livecode mailing list
> > use-livecode at lists.runrev.com
> > Please visit this url to subscribe, unsubscribe and manage your 
> subscription preferences:
> > http://lists.runrev.com/mailman/listinfo/use-livecode
>
>
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your 
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode