kurbylogic kurbylogic

Niner since 2006


  • Paul Vick and Erik Meijer - Dynamic Programming in Visual Basic

    What I was hoping to see here was a interactive programming shell like Monad but with Visual Basic syntax instead of the rather cryptic perl like syntax,  VB might have some potential here, but instead what I saw scared me.  Please take that compiler away from them before they hurt someone.

    The first poster mentioned the possiblility of something like:

    > messagebox.show(person.(Form1.textbox.text))

    Ouch! this feature is a hackers dream.  External data should be assumed to be untrusted the last thing you want to do is blindly execute whatever the user types in. 
    For example say your textbox is on a web form and the web application has access to a database that with a little insider knowledge or trial and error he uses the web applications credintials to connect to the local database on the web server and deletes some data such as.

    New SqlCommand("Delete * from CustTable", New SqlConnection(...).ExecuteNonQuery()

    After deleting all your customers (and all cascading relations) you'll probably get an exception such as the method or property 1238 (the result of executenonquery ie number of records deleted from the table) on person does not exist.  Even if this were perhaps a query from some xml meta data about person object the application must be extreamly careful to ensure that whatever gets evaluated in the () is safe to execute.  Assuming you knew what it was you were executing between the () they why not just put it there if you don't know what will be in the () then you probably shouldn't be executing it.  It might be useful in some ad-hoc one off scripting such as and administrative WMI query or something like that but I would never ever use it in a production code.

    - Kurt