Don't have access to UV at present, but wonder if the following INPUT would do the "trick"
> ' AND WITH EVAL "EXECUTE 'CLEAR.FILE CLIENT'" = ' Ross Ferris Stamina Software Visage > Better by Design! >-----Original Message----- >From: [EMAIL PROTECTED] [mailto:owner-u2- >[EMAIL PROTECTED] On Behalf Of penno >Sent: Monday, 29 October 2007 11:45 AM >To: u2-users@listserver.u2ug.org >Subject: RE: [U2] Stringing commands together on the command line. >Possible? > >Hi Bill, David, all > >I'm getting the answers I want. (c: I'm glad it doesn't look like it's >possible. > >I should have explained myslef more clearly. I'm looking at it from a >security point of view. I read this comic the other day, > >http://xkcd.com/327/ > >and wondered if there was a risk of malicious code insertion with our >inhouse programs. For instance suppose there was a program like this >(and >it's been a while since I've programmed, so I hope you'll all get the >gist >of it!): > >>CRT "INPUT MEMBER NAME: " >>INPUT MEM.NAME >> >>EXECUTE "SELECT CLIENT WITH MEMBER.NAME = '":MEM.NAME:"'" > >Innocuous enough. Now, assume for a minute the ";" delimiter worked like >in >unix. And suppose a malicious user, when prompted for MEM.NAME, entered: > >>FRED' ; CLEAR.FILE CLIENT ; CRT 'NOTHING > >From what I can tell, this would execute a CLEAR.FILE on CLIENT. I would >like to be sure that this kind of thing's not possible. So far, so good. >(c: >Thanks for your speedy answers. > >Penno > > > >Bill Haskett wrote: >> >> Penno: >> >> As far as I know, this won't work. However, I can think of three ways >to >> accomplish >> this: >> >> > >-- >View this message in context: http://www.nabble.com/Stringing-commands- >together-on-the-command-line.-Possible--tf4688153.html#a13459953 >Sent from the U2 - Users mailing list archive at Nabble.com. >------- >u2-users mailing list >u2-users@listserver.u2ug.org >To unsubscribe please visit http://listserver.u2ug.org/ ------- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/