Re: Using a string as executable code

< ^ > P N |<>| ^ _>< --- | ~ ...Help
The problem with code in the database is ... the database. If there is
a vulnerability in the way you store things in the database, a
malicious user could execute arbitrary code on your server through the
pipe you open.

a.instance_eval "`uname -a`" ---> print system name
a.instance_eval "`whoami`" ---> print user name
... explore, find a security weakness, create an account, go in and
steal the house !

It is good practice to keep some doors closed, just in case.

Gaspard

2008/4/4, Peter Marks <petertmarks / gmail.com>:
> ara.t.howard wrote:
>  > there are many easy ways to handle this
>  >
>  > i don't know what you mean by 'string function'  but:
>
>
> Thanks for your response. All I mean by 'string function' is a bit of
>  code that produces a string. Using my example, 'person.name' and
>  'person.name.upcase' are different string functions. I don't know if I'm
>  using the right terminology, but that's what I mean. If I was to define
>  all of these 'string functions' as individual methods, it would be a lot
>  of additional hard code and I would still have these method names locked
>  into the db.
>
> --
>  Posted via http://www.ruby-forum.com/.
>
>