Jim Menard <jimm / eris.io.com> writes:

> Dave Thomas <Dave / PragmaticProgrammer.com> writes:
> 
> > Jim Menard <jimm / eris.io.com> writes:
> > 
> > > I have a class name in a string, and I want to create an instance of that
> > > class. Can I do so without using eval? I'm looking for something like
> > > Java's "Class.forName(className)" or Smalltalk's "Smalltalk classNamed:
> > > className".
> > 
> > I have to say that this concept strikes me as being really very
> > risky.
> 
> Why is this risky? I'm trying to build a generic .rthml file that will
> display lists of objects with some of their attributes.
> 
> Each class I want to display descends from a common superclass representing
> a database reference table. I'm building a simple generic database table
> editor.

If you're checking that the class that's resolved from the string is a
descendent of your base class, then I guess there's no problem.
Without that check, then you're letting people run code on your
server.

Dave