|
HP OpenVMS Systemsask the wizard |
|
The Question is: I've recently seen some references in comp.os.vms that indicate the DCL command "INQUIRE" is a security risk and the use of "READ" is recommended. Could you elaborate on the risks of using "INQUIRE"? Thank you. The Answer is :
INQUIRE performs DCL symbol substitutions -- this is documented and
intended behaviour. It is also expressly prohibited within CAPTIVE
command procedures, for reasons that should hopefully become obvious.
The following shows an example:
$! 'f$verify(0)'
$ inquire/nopunct input "enter the string: 'f$verify(1)'"
$! if you entered 'f$verify(1)', you see this...
$ exit
The first f$verify -- yes, in a comment -- executes and disables
verification. If you enter the specified text string, you will
reenable verification.
From the V7.2 DCL Dictionary: To use symbols or lexical functions
when you enter a response to the prompt string, use single
quotation marks ('') to request symbol substitution.
Left as an exercise for the reader: think about what will happen if
you enter the string 'F$PID(GOTO) at the prompt.
|