On 25 September 2010 14:38, Jim Burgess <li...@ruby-forum.com> wrote: > def validate_presence(arg) > string = "errors.add(:#{arg}, \"can't be blank\") if #{arg} == \"\"" > eval(string) > end > > My question: does the method using eval pose any kind of security > threat?
I'd say it's not a particular security threat (especially if you make the 'validate_presence' method private). But it does pose a code-legibility and slight smell threat. If you feel you need to use eval, you're probably missing some other way of achieving the result you're after. Obviously, you've deliberately contrived your example to illustrate, but by the same token that there's no need to do the eval in the example (because you could just execute the line in the string), in your real use-case I'd be suspicious of what other ways you could arrange the code to avoid the eval. NOI HTH -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-t...@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.