J does not currently have facilities for tracking malicious user input and ensuring that it's treated safely. (This is an open-ended issue.)
As a consequence, the developer must ensure that input from untrusted users is sufficiently cleaned before it's used, or that J is executing in a "safe" environment (such as the user's machine, though a chroot "jail" might also work in some contexts). That said, with a left argument, the 'do' verb will limit itself to translating numbers to numeric form (using the left argument as a placeholder where that fails). You'll want to be using 'do' this way, anyways, if you're working with textual representation of numbers where the '-' character is used to indicate negative numbers. Thanks, -- Raul On Tue, Feb 18, 2020 at 3:17 PM 'Jim Russell' via Programming <[email protected]> wrote: > > Does the "do" approach involve risks like SQL injection risks? How does one > ensure that a user response doesn't include malicious J code? > > > On Feb 18, 2020, at 1:34 PM, PMA <[email protected]> wrote: > > > > Bob, Jimmy, Pascal -- > > Just plain old Do fercrisake. > > Omg, I feel like an idiot! > > (Happy, o'course) > > > > See, I'll be using the quotes in one string > > as the var NAME that this function's output > > will be assigned to. A little cumbersome, > > but hey... > > > > Thanks again! > > Cheers back!!! > > Pete > > > >> On 02/18/2020 12:27 PM, 'robert therriault' via Programming wrote: > >> Hi Pete, > >> > >> Are you looking for ". (Do) > >> https://code.jsoftware.com/wiki/Vocabulary/quotedot > >> > >> ".'1 + 1' > >> 2 > >> FUNCTION=: 4 : 0 > >> smoutput x NB. output x string > >> smoutput y NB. output y string > >> x +&". y NB. Using + as the dyadic verb placeholder, equivalent to (". > >> x) + ". y > >> ) > >> '1+1' FUNCTION '2+2' > >> 1+1 > >> 2+2 > >> 6 > >> > >> Cheers, bob > >> > >>>> On Feb 18, 2020, at 09:10, PMA <[email protected]> wrote: > >>> > >>> This question must be too clueless to ask, > >>> but two hours with NuVoc leaves me still > >>> wondering -- > >>> > >>> I need to write a function invocation with > >>> its numeric x and y each in quotes as TEXT: > >>> > >>> '1+1' FUNCTION '2+2' > >>> > >>> I want the function then, after displaying > >>> x and y, to remove their quotes and execute > >>> their innards. > >>> > >>> What (a primitive, I assume!) will convert > >>> each quote to an executable expression? > >>> > >>> Thanks in advance. > >>> Sorry to test your patience! > >>> Pete > >>> ---------------------------------------------------------------------- > >>> For information about J forums see http://www.jsoftware.com/forums.htm > >> > >> ---------------------------------------------------------------------- > >> For information about J forums see http://www.jsoftware.com/forums.htm > >> > > ---------------------------------------------------------------------- > > For information about J forums see http://www.jsoftware.com/forums.htm > > ---------------------------------------------------------------------- > For information about J forums see http://www.jsoftware.com/forums.htm ---------------------------------------------------------------------- For information about J forums see http://www.jsoftware.com/forums.htm
