These look the same to me. Both versions place content into a variable. Is the difference because of how the engine evaluates the input somehow?

--
Jacqueline Landman Gay | jac...@hyperactivesw.com
HyperActive Software | http://www.hyperactivesw.com
On March 30, 2018 11:04:54 AM Mark Waddingham via use-livecode <use-livecode@lists.runrev.com> wrote:

Using do safely is the same as making database queries safe, or URL requests.

You 'just' need to make sure that any input from outside is sanitized to ensure that it doesn't change the meaning of the expression you are 'doing'.

For example, don't interpolate strings directly in the script using quotes, use a local var instead:

put user input into tVar1
do "put tVar1 into x" -- safe

Rather than

do "put " && quote & user input & quote && "into x" -- not safe

Warmest Regards,

Mark.

Sent from my iPhone

> On 30 Mar 2018, at 16:43, Tom Glod via use-livecode <use-livecode@lists.runrev.com> wrote:
>
> Dear Geniuses
>
> Sometimes.... late at night just before falling asleep I think about the
> dangers of the do command.  Is it possible to inject code into this
> mechanism through malware?
>
> I do not have enough understanding of operating systems and their processes
> ...and the livecode engine....to be able to know if its a reasonable
> question or not.
>
> Thanks for any input on this.
> _______________________________________________
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode


_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode




_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Reply via email to