The user input was indirected through a variable in the safe version - not made part of the do string... That's the critical difference.
The unsafe version allows user input to change the do'd code, the safe version only changes the content of a variable the do string uses. Warmest Regards, Mark. Sent from my iPhone > On 30 Mar 2018, at 19:24, J. Landman Gay via use-livecode > <use-livecode@lists.runrev.com> wrote: > > Well yes, but as Bob mentioned, wouldn't a variable do the same thing? > > put ";delete hard drive;put " into x > do x > > vs: > > do "put " && quote & ";delete hard drive;put " & quote && "into x" > > This actually came up way back in MetaCard where it was pointed out that the > engine was about as secure as it gets as long as you validate all user input > when using "do" or (I think) "value". In the first example above, input needs > to be examined before the "do" command is issued. So I think there's a line > or two missing in there somewhere. ;) > > >> On 3/30/18 12:15 PM, Mark Waddingham via use-livecode wrote: >> Think about the string that can be constructed in the quoted version - user >> input could be "; ...;put " where ... is any code you would like... >> Sent from my iPhone >>> On 30 Mar 2018, at 18:09, J. Landman Gay via use-livecode >>> <use-livecode@lists.runrev.com> wrote: >>> >>> These look the same to me. Both versions place content into a variable. Is >>> the difference because of how the engine evaluates the input somehow? >>> >>> -- >>> Jacqueline Landman Gay | jac...@hyperactivesw.com >>> HyperActive Software | http://www.hyperactivesw.com >>>> On March 30, 2018 11:04:54 AM Mark Waddingham via use-livecode >>>> <use-livecode@lists.runrev.com> wrote: >>>> >>>> Using do safely is the same as making database queries safe, or URL >>>> requests. >>>> >>>> You 'just' need to make sure that any input from outside is sanitized to >>>> ensure that it doesn't change the meaning of the expression you are >>>> 'doing'. >>>> >>>> For example, don't interpolate strings directly in the script using >>>> quotes, use a local var instead: >>>> >>>> put user input into tVar1 >>>> do "put tVar1 into x" -- safe >>>> >>>> Rather than >>>> >>>> do "put " && quote & user input & quote && "into x" -- not safe >>>> >>>> Warmest Regards, >>>> >>>> Mark. >>>> >>>> Sent from my iPhone >>>> >>>>> On 30 Mar 2018, at 16:43, Tom Glod via use-livecode >>>>> <use-livecode@lists.runrev.com> wrote: >>>>> >>>>> Dear Geniuses >>>>> >>>>> Sometimes.... late at night just before falling asleep I think about the >>>>> dangers of the do command. Is it possible to inject code into this >>>>> mechanism through malware? >>>>> >>>>> I do not have enough understanding of operating systems and their >>>>> processes >>>>> ...and the livecode engine....to be able to know if its a reasonable >>>>> question or not. >>>>> >>>>> Thanks for any input on this. >>>>> _______________________________________________ > > > -- > Jacqueline Landman Gay | jac...@hyperactivesw.com > HyperActive Software | http://www.hyperactivesw.com > > _______________________________________________ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your subscription > preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode _______________________________________________ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode