Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have been using the eval method in ruby many times. But I have heard people saying eval is nasty. When asked, why and how, I could never get a convincing reason not to use it. Are they really nasty? and if so, in what way? What are possible "safer" options to eval?
If you are
evaling a string submitted by, or modifiable by the user, this is tantamount to allowing arbitrary code execution. Imagine if the string contained an OS call torm -rf /or similar. That said, in situations where you know the strings are appropriately constrained, or your Ruby interpreter is sandboxed appropriately, or ideally both,evalcan be extraordinarily powerful.The problem is analogous to SQL injection, if you’re familiar. The solution here is similar to the solution to the injection problem (parameterized queries). That is, if the statements you would like to
evalare known to be of a very specific form, and not all of the statement need be submitted by the user, only a few variables, a math expression, or similar, you can take in these small pieces from the user, sanitize them if necessary, then evaluate the safe template statement with the user input plugged in in the appropriate places.