On 25 September 2010 14:38, Jim Burgess <li...@ruby-forum.com> wrote:
> def validate_presence(arg)
> string = "errors.add(:#{arg}, \"can't be blank\") if #{arg} == \"\""
> eval(string)
> end
>
> My question: does the method using eval pose any kind of security
> threat?
I'd say it's not a particular security threat (especially if you make
the 'validate_presence' method private). But it does pose a
code-legibility and slight smell threat. If you feel you need to use
eval, you're probably missing some other way of achieving the result
you're after.
Obviously, you've deliberately contrived your example to illustrate,
but by the same token that there's no need to do the eval in the
example (because you could just execute the line in the string), in
your real use-case I'd be suspicious of what other ways you could
arrange the code to avoid the eval.
NOI HTH
--
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to rubyonrails-t...@googlegroups.com.
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.
