[prev in list] [next in list] [prev in thread] [next in thread]
List: ruby-talk
Subject: Re: still more relentless non-repetition
From: "Giles Bowkett" <gilesb () gmail ! com>
Date: 2006-10-31 23:54:46
Message-ID: 2d81dedb0610311554n1d46782em120bb1ee30467d11 () mail ! gmail ! com
[Download RAW message or body]
ah yeah, that's a good point, SQL injection attacks.
On 10/31/06, Devin Mullins <twifkak@comcast.net> wrote:
> I'm too lazy ATM to read the whole thing and make a design
> recommendation, but Danger, Will Robinson!
> > eval("@#{params[:thing_to_search_for]}") =
> > (eval(params[:thing_to_search_for].capitalize)).find_by_contents @term
> Major Ruby-injection problem here. NEVER eval something you get from an
> untrusted user. Use, instead, instance_variable_get and Object.const_get.
>
> Devin
>
>
--
Giles Bowkett
http://www.gilesgoatboy.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic