You are ok if you are eval'ing on something which is not user provided. The risk is if you are eval'ing something which is user input, which then would subject you to risk. Below I am assuming your arg is a field name which is something passed by your own code.
David On Sat, Sep 25, 2010 at 8:38 AM, Jim Burgess <li...@ruby-forum.com> wrote: > Hi, > > If I want to ensure that someone has filled out the email section of a > form I can write this in my model: > > validates_presence_of :email > > I can also achieve (more or less) the same thing by writing: > > validate do |applicant| > applicant.validate_presence("email") > end > > def validate_presence(arg) > string = "errors.add(:#{arg}, \"can't be blank\") if #{arg} == \"\"" > eval(string) > end > > My question: does the method using eval pose any kind of security > threat? > > I know the above example is silly (redefining an existing validation > method), but it serves well as a simplified version of what I am trying > to do, without going into unnecessary detail. > > Thanks in advance > -- > Posted via http://www.ruby-forum.com/. > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-t...@googlegroups.com. > To unsubscribe from this group, send email to > rubyonrails-talk+unsubscr...@googlegroups.com<rubyonrails-talk%2bunsubscr...@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/rubyonrails-talk?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-t...@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.