 |
lua-l archive |
|
|
||
|
Matthew Wild wrote:
On Sat, Apr 4, 2009 at 11:12 PM, Francio <francio@francio.pl> wrote:Hello!<snip>And by the way, is this way of concatenating 100% safe of any code injections? Can only "]]" end string beginning with "[["?There is no 100% safe way the way you are doing it - whatever you use for the start have an end marker, and there is always a chance that this end marker will appear in the user's code. The correct way is using string.format()'s %q specifier: Your example would be: "user_code= " .. string.format("%q", user_code_here) .. "]]"
Thanks a lot for your answer.But I forgot to mention that I am using PHP to concatenate the Lua codes (user code and sandbox code) and then run it with Lua interpreter.
If I will do it like this: sprintf($x,"%s",$user_code) $lcode=" ... run_in_sandbox($x) ... " run_in_lua($lcode) will the PHP and Lua special chars and they escaped equivalents match ?I thought it will be easier just to replace "]]" and "[[" in user code for something like "\[\[" "\]\]" instead of sprintfing it and then just do
$lcode=" ... run_in_sandbox([[ $user_code ]]) ... " run_in_lua($lcode) regards