I'm 100% sure.
This is the code I've used:
on *:TEXT:!Users*:*: {
scid 1 //c.users $2
}
alias c.users {
var %c.calc = $nick($1,0)
scid 1 //msg #ChanYouWantToPost %c.calc
}
Note that the only difference with yours is that I put a 1 after the scid, because I was testing this on a client that is only on 1 network.
For example, do you know many people have an alias for quit? Like /q for example or even /quit that will add an extra message for them?
Here's how to make those people quit with the code you gave the original requester:
I type: !users $quit, and the person who hosts this script is disconnected. Now you may say it's all very innocent, and it depends on them having a /quit alias, but many do, and it shouldn't be possible to do it in the first place. Oh wait, you dismiss this argument? Fine, let's just install a quit alias on their mIRC, just to be sure, ok?
!users $($replace(alias*quit*quit*|*$quit,*,$chr(32)),2)
There we go, this created a /quit alias on their computer, and immediately after that made them quit.
Let's make things a little bit worse. Fortunately for you, you put $2 instead of $2-, or it would have been even easier to exploit, but with a little inventivity we will achieve the same result.
!users $findfile($mircdir,*,0,$replace(echo*-a*$1,*,$chr(32))).shortfn
Guess what it does? Right, it will echo all files in your mirc directory. It's easy to change this to delete all your files on your c:\ drive, but I'm not showing how. I could use /run ... and have access to the DOS command prompt, and you know what that means, right?
If you had put $2-, then I wouldn't even have to use that $replace hack, but maybe it's for the best that you did, so I can show you that you need to be really careful about what kind of code you give out to people.
You were lucky in another sense that you put scid 2 .... People who only have 1 server window open, will see it raise an error, which halts the script, and thus also the malicous code. However again, thats playing with fire, as many many people have atleast 2 server windows open, which means all of them are vulnerable for exploits with your code.
I sincerely hope you've finally understood my worries, and that in the future you, and other people will take these dangers of double evaluation into account that come with commands like /timer, /scid, /scon ...
Ways to prevent this problem were shown
here where I've already linked to.
One last note, people might think that the examples I gave might give people ideas to try to exploit such code however anyone that knows $findfile and can read the help file knows that it can execute commands. The solution is not removing this functionality as it serves a great purpose, but to make less experienced scripters aware of these issues so that they cease to be an issue in the first place. If you don't give out code that is open to exploits, then it doesn't matter if $findfile can execute commands, or that $eval works the way it does.
Nevertheless, it's a shame that I have to go so far as to give you actual examples, when you could have simply taken my word for it, or tried out some things on your own.