I think that as long as you control the string that is passed to merge you
should be fine. But if the user were able to directly influence the string
that is passed to merge, then they certainly could inject something.
put the text of field 1 into tMerge
put merge(tMerge) into tDangerousUse
put merge("Field 1 contains: [[tMerge]]") into tSafeUse
So, I think your assumption is correct.
On Fri, Jun 15, 2018 at 8:06 PM, Mike Bonner via use-livecode <
use-livecode@lists.runrev.com> wrote:
> I just had a thought while pondering some code from another thread. I have
> done things like put merge("This is a random number: [[random(tNum)]]")
>
> Since merge can do what do can, is there a way this method could be taken
> advantage of using an injection type of attack? I'm thinking the answer
> is no, (and I haven't managed to find a way to inject yet,) other than
> allowing a user to build the whole merge string themselves (which would be
> a "bad thing to do" (c))
>
> Am I wrong? Is it safe as long as I don't do anything careless?
> _______________________________________________
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>
_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
