0

I've put together two sample classes implemented in a couple of different ways which pretty well mirrors what I want to do in my Rails model. My concern is that I don't know what, if any are the concerns of using either method. And I've only found posts which explain how to implement them or a general warning to avoid/ be careful when using them. What I have not found is a clear explanation of how to accomplish this safely, and what I'm being careful of or why I should avoid this pattern.

class X
  attr_accessor :yn_sc, :um_sc
  def initialize
    @yn_sc = 0
    @um_sc = 0
  end
  types = %w(yn um)
  types.each do |t|
    define_method("#{t}_add") do |val|
      val = ActiveRecord::Base.send(:sanitize_sql_array, ["%s", val])
      eval("@#{t}_sc += #{val}")
    end
  end
end

class X
  attr_accessor :yn_sc, :um_sc
  def initialize
    @yn_sc = 0
    @um_sc = 0
  end
  types = %w(yn um)
  types.each do |t|
    # eval <<-EVAL also works
    self.class_eval <<-EVAL 
      def #{t}_add(val)
        @#{t}_sc += val
      end
    EVAL
  end
end


x = X.new
x.yn_add(1) #=> x.yn_sc == 1 for both
MCB
  • 2,021
  • 1
  • 18
  • 32

1 Answers1

1

Well, your code looks realy safe. But imagine a code based on user input. It might be look something like

puts 'Give me an order, sir!'
order = gets.chomp
eval(order)

What will happen if our captain will go wild and order us to 'rm -rf ~/'? Sad things for sure!

So take a little lesson. eval is not safe because it evaluates every string it receives. But there's another reason not to use eval. Sometimes it evaluates slower than alternatives. Look here if interested.

user2422869
  • 750
  • 7
  • 17
  • Well, `val` will be user input from a form, although I know there are ways a malicious user can spoof that, hence the `sanitize`. – MCB Nov 19 '13 at 18:01