Argh!

Please stop telling people to eval user supplied strings!

The *ONLY* time it is safe to use eval is if all the contents are  
generated by you and NONE of the components come from user input.

It looks here like original_string comes from user.

Imagine if I supplied this:

" => 'lame'; `rm -rf /` #

On 9 Mar 2006, at 12:03, Marcin Miel¥Ê¥·y¥Ê§Ôki wrote:

> Nick Snels wrote:
>> Hi,
>> I get a string inputted in my program, which I convert to a hash- 
>> like string, like:
>> sql = '"table_alias" => [],"original_string" => "select * from  
>> table"'
>
> The simplest, although slow:
>
> sql = '"table_alias" => [],"original_string" => "select * from table"'
> hash = eval('{'+sql+'}')
>
>
> lopex
>