Hi --
On 3/8/07, Patrick Spence <patrick / pkspence.com> wrote:> Marcin Mielyski wrote:> > dblack / wobblini.net wrote:> >> >> David> >>> >> > I know that eval is not save but it appears that it is much faster than> > inject version> <snip>> Just out of curosity, how is "eval()" not safe? I'm doing something very> similar to the OP and have adopted the Object.const_get() approach as> suggested by David. I'd like to get a better understanding of why this> is the preferred method.
eval is not safe in any situation where there's any possibility thatyou're executing text of unknown origin or suspicious composition. Asin:
  command = gets.chomp  eval "system('#{command}')"
An extreme example, but you see the point :-) When the input is notsuspicious, eval still often has a bit of a flavor of a brute-forceapproach to doing things that there might be a more elegant way ofdoing.

David
-- Q. What is THE Ruby book for Rails developers?A. RUBY FOR RAILS by David A. Black (http://www.manning.com/black)   (See what readers are saying!  http://www.rubypal.com/r4rrevs.pdf)Q. Where can I get Ruby/Rails on-site training, consulting, coaching?A. Ruby Power and Light, LLC (http://www.rubypal.com)