I think the protection is that the DLL would still need to be launched by the report designer. The user defined DLL is loaded as a function that is listed in the Functions drop down. If you look in the Other Functions listing in Crystal you can see where some user defined functions have already been written.


>But the difference is that in this case, an application is
>automatically loading DLL's, simply becaise it's there.
>
>In apps we normally write, somewhere in code, there would be a
>CREATEOBJECT() to instantiate it. That means the application is
>expecting the DLL. In the case of Crystal, the Crystal application
>has no idea what is being loaded.
>
>If someone wrote a malicious DLL, and put it on your PC, unless you or
>someone else wrote an application that specifially calls this DLL,
>it would just sit there an never be a problem.
>
>Crystal is, by nature of this feature, providing an automatic
>launcher for any DLL which is named with "CRUFL". All the DLL
>has to do to be run, is be loaded and registered on the PC and
>wait for a Crystal application to start.