#import "ExpertSample.dll"int GetIntValue(int);#import
but it can be like this?
There's not really much difference between that versus what Windows does "allow", which is downloading a file from a server and then linking to it dynamically.
For example, it's possible to do the following in MQL4, because MT4 doesn't verify the existence of test.dll until the call to TestFunction() is actually made:
int CreateFileW(string, int, int, int, int, int, int);
int WriteFile(int, char & arr, int, int&, int);
// Download DLL file from server
char post, data;
int res = WebRequest("GET", "http://myserver/myfile.dll", NULL, NULL, 10000, post, 0, data, headers);
// Write DLL file to MQL4\Libraries
string strFile = StringConcatenate(TerminalInfoString(TERMINAL_DATA_PATH), "\\MQL4\\Libraries\\Test.dll");
int f = CreateFileW(strFile, 1073741824, 0, 0, 2, 0, 0);
WriteFile(f, data, ArraySize(data), szWrite, 0);
// Call newly-downloaded DLL
What's very interesting about this is that's possible to do the following...
(In other words, you can import a DLL which is in MQL4\Files rather than MQL4\Libraries)
... However, you can't use MQL4's FileWriteArray() etc to create the DLL file in MQL4\Files. You have to use the Win32 file functions. After experimentation, it turns out that MT4 contains some very careful checks which prevent you creating an executable file using the built-in functions such as FileWriteArray(), FileWriteString(). It won't allow you to create a file which starts with the 0x905A4D executable header.
There is a huge difference, if you load an executable from the internet, any hacker can tamper it.
Technically, there is no problem with downloading and writing any file to the local file system, as you have DLL enabled anyway. The major problem is you cannot (re)load a new DLL by the already running script. It was possible with MT4 509, but currently it must be loaded within the script start.
I don't see the fundamental difference between #import "http://myserver/mydll.dll" and the code above. One way or another, the executable code passes over the internet; is, in theory, vulnerable to manipulation in transit; and is then executed on the local machine.
It depends on one's threshold for "insecure". Downloading an EA and turning on DLL imports is fundamentally similar to downloading and running any other software from the internet. You need to trust the software's author - or the activity-scanner of your anti-virus software.
You need to trust any EA author to some degree. You don't need DLL imports to write an EA which, on a pre-arranged date, suddenly starts placing huge trades until it blows up your account - either just in order to cause malicious damage, or because the author has some sort of financial relationship with a B book broker.