On 08/03/07, Patrick Spence <patrick / pkspence.com> wrote:> Marcin Mielyski wrote:> > dblack / wobblini.net wrote:> >> >> David> >>> >> > I know that eval is not save but it appears that it is much faster than> > inject version> <snip>> Just out of curosity, how is "eval()" not safe? I'm doing something very> similar to the OP and have adopted the Object.const_get() approach as> suggested by David. I'd like to get a better understanding of why this> is the preferred method.
Unless you have tight control of your user input you run the riskinjection attacks where you might  eval "system('rm -rf /')".
Farrel