MOO-cows Mailing List Archive

Re:

Date: Wed, 17 Jan 1996 09:41:31 PST
From:
"Seth I. Rich" <sir@po.cwru.edu>
cc: MOO-Cows.PARC@xerox.com
Content-Type: text/plain; charset="us-ascii"

>> How about comparing
>>   call_function("notify", player, foo);
>> with
>>   eval("notify(player, " + FOO + ");");
>> ...?  The latter leaves you wide-open for people to slip in nasties,
>>while using call_function() makes you safer.

>I'm sorry, I don't follow you.. how could the later pose a threat?

I see I screwed up my example above, so I'll fix it here.

What if foo == "hi\");recycle(player" ?  Then you'd

   eval("notify(player, \"" + FOO + ");");
=> eval("notify(player, \"" + "hi\");recycle(player" + ");");
=> eval("notify(player, \"hi\");recycle(player);");
=> notify(player, "hi");
   recycle(player);

... which could have very nasty side effects.

Seth / Blackbriar
---------------------------------------------------------------------------
Seth I. Rich - sir@po.cwru.edu                         no, no quote.
Rabbits on walls, no problem.                          it's far too cold.

Prev: Re:
Next: Re:
Index: MOO-cows
Thread: MOO-cows

Home | Subject Index | Thread Index