Make it impossible to manipulate an eval command?

[Conservative]

This code copies all necessary variables from a brick over to a script object, based on the client's current inventory num.

Problem is, someone with just the right knowledge has the ability to manipulate the eval command via event lines.

I want to handle fonts and color codes, but eliminate any possibility that the player may use characters such as @ crash(); @

   function Salv_CopyBrick(%so, %brick, %Inv)
   {
      if(%brick.getName() !$= "") %so.brickName[%Inv] = %brick.getName();
      //%so.angleID[%Inv] = %brick.angleID;
      //%so.client[%Inv] = %brick.client;
      %so.colorFxID[%Inv] = %brick.colorFxID;
      %so.colorID[%Inv] = %brick.colorID;
      %so.dataBlock[%Inv] = %brick.dataBlock;
      %so.isBasePlate[%Inv] = %brick.isBasePlate;
      %so.isPlanted[%Inv] = %brick.isPlanted;
      //%so.position[%Inv] = %brick.position;
      %so.printID[%Inv] = %brick.printID;
      //%so.rotation[%Inv] = %brick.rotation;
      //%so.scale[%Inv] = %brick.scale;
      %so.shapeFxID[%Inv] = %brick.shapeFxID;
      //%so.stackBL_ID[%Inv] = %brick.stackBL_ID;

      //Tagged Fields
      for(%i=0;%i<getTagCount(%brick);%i++)
      {
         %Str = %brick.getTaggedField(%i);

         %Tag = getWord(%Str, 0);
         %Val = getSubStr( %Str, strLen(getWord(%Str,0))+1, 999999 );

         if(%Tag $= "emitter") %so.emitterData[%Inv] = %brick.emitter.emitter;
      else
         if(%Tag $= "light") %so.lightData[%Inv] = %brick.light.dataBlock;
      else
         if(%Tag $= "item") %so.itemData[%Inv] = %brick.item.dataBlock;
      else
         if(%Tag $= "audioEmitter") %so.musicData[%Inv] = %brick.audioEmitter.profile;
      else
         eval(%so @ "." @ %Tag @ %Inv @ " = \"" @ %Val @"\";");
      }
   }

[Ad Bot]

[Zeblote]

replace \\ with \\\\
replace \" with \\\"

[Conservative]

replace \\ with \\\\
replace \" with \\\"

Are those the ONLY characters I have to watch out for?

This was also suggested over steam to me;

Oh. May just want to cut your losses and just do stripchars(%str, ";");

[Lugnut]

If you can figure out a way to use call() you're home free
call("talk","hello world");
Don't do call("eval", ...); as that's no better than what you've got.

Otherwise, just remove any ; ( ) @ $ or % you don't want before calling eval()

Are those the ONLY characters I have to watch out for?

This was also suggested over steam to me;

god no.

Remove literally every character that ISNT ABSOLUTELY NECCESSary

Seriously just whitelist the stuff (for each character in string, if it isn't one of these, return false and ABORT or just remove it)

[Lugnut]

Told him about inheretance via steam

http://forum.blockland.us/index.php?topic=147039.msg3430084#msg3430084

He is now a nigerian prinse

[Greek2me]

Told him about inheretance via steam

http://forum.blockland.us/index.php?topic=147039.msg3430084#msg3430084

He is now a nigerian prinse

Wait, that works on normal objects??

[$trinick]

Wait, that works on normal objects??

Yep.

new ScriptObject(one) { valid = true; };
new ScriptObject(two : one);
if(!two.valid) crash();

[Zeblote]

Are those the ONLY characters I have to watch out for?

Yes, as you start the value with a " and end it with a ". That means, the only way to inject some stuff is to add another ", right? So you need to prevent that.

[Lugnut]

yesyesyes scriptobject not simobject

siba use scriptobjects

[$trinick]

Yes, as you start the value with a " and end it with a ". That means, the only way to inject some stuff is to add another ", right? So you need to prevent that.

No. If I send \" the prefixed \ will cancel the added \, keeping the " active.

[Xalos]

No. If I send \" the prefixed \ will cancel the added \, keeping the " active.

strReplace(strReplace(%text, "\"", "\\\""), "\\", "\\\\");

[Zeblote]

strReplace(strReplace(%text, "\"", "\\\""), "\\", "\\\\");

Do it the other way around

Like that, you get \" -> \\\" -> \\\\\" and \\\" -> \\\\\" -> \\\\\\\\\"

The other way around, you get \" -> \\\" and \\\" -> \\\\\" -> \\\\\\\"

replace \\ with \\\\
replace \" with \\\"

[Greek2me]

It's easier to just do expandEscape(%text);

[Conservative]

It's easier to just do expandEscape(%text);

What would that do?

EDIT: I'm trying to create the ScriptObject now but I can't find a way to do it through code on %brick..

%so = new ScriptObject("Salvage_" @ %client.bl_id : %brick); returns a syntax error.

[Alphadin]

Just to clarify the above, he's trying to copy the variables %brick has onto the ScriptObject.