'Re: still more relentless non-repetition'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ruby-talk
Subject:    Re: still more relentless non-repetition
From:       "Giles Bowkett" <gilesb () gmail ! com>
Date:       2006-10-31 23:54:46
Message-ID: 2d81dedb0610311554n1d46782em120bb1ee30467d11 () mail ! gmail ! com
[Download RAW message or body]

ah yeah, that's a good point, SQL injection attacks.

On 10/31/06, Devin Mullins <twifkak@comcast.net> wrote:
> I'm too lazy ATM to read the whole thing and make a design
> recommendation, but Danger, Will Robinson!
> >      eval("@#{params[:thing_to_search_for]}") =
> > (eval(params[:thing_to_search_for].capitalize)).find_by_contents @term
> Major Ruby-injection problem here. NEVER eval something you get from an
> untrusted user. Use, instead, instance_variable_get and Object.const_get.
>
> Devin
>
>


-- 
Giles Bowkett
http://www.gilesgoatboy.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic