Asp Forum - Using a string as executable code

Peter Marks

4/4/2008 1:30:00 AM

I need to store one line method calls as strings in my db and then apply
them to an object. For example, I would store "name.upcase" in the db
and then somehow call person.name.upcase. Any idea how I might pull this
off?

Thanks,

Peter
--
Posted via http://www.ruby-....

14 Answers

Xeno Campanoli

4/4/2008 1:42:00 AM

Peter Marks wrote:
> I need to store one line method calls as strings in my db and then apply
> them to an object. For example, I would store "name.upcase" in the db
> and then somehow call person.name.upcase. Any idea how I might pull this
> off?
>
> Thanks,
>
> Peter
Don't Do It!

--
There is more safety in diversity; more danger in great power.
There is love in effort to understand; hatred in refusal to.

Paul McMahon

4/4/2008 1:42:00 AM

Peter Marks wrote:
> I need to store one line method calls as strings in my db and then apply
> them to an object. For example, I would store "name.upcase" in the db
> and then somehow call person.name.upcase. Any idea how I might pull this
> off?

Well, you could do

result = "name.upcase".split(".").inject(person) do |object, method|
object.send(method)
end

but storing code in a database smells. Perhaps it would be better to
find another approach that avoids storing the code in the first place

Phlip

4/4/2008 2:18:00 AM

>> I need to store one line method calls as strings in my db and then apply
>> them to an object. For example, I would store "name.upcase" in the db
>> and then somehow call person.name.upcase. Any idea how I might pull this
>> off?

> Don't Do It!

Except, for example, if code A determines the need to schedule a call to
A.foo(42), and wants to run that event at a scheduled time, such as out of a
cron job. Then dropping a _short_ "A.foo(42)" into the database, then
fetching it out and eval()-ing it, is not such an inelegant solution.

--
Phlip

Alex Wayne

4/4/2008 4:28:00 AM

Paul McMahon wrote:
> Well, you could do
>
> result = "name.upcase".split(".").inject(person) do |object, method|
> object.send(method)
> end
>
> but storing code in a database smells. Perhaps it would be better to
> find another approach that avoids storing the code in the first place

Or

eval "object.#{object.stored_code}"

But really. This sounds like a horrendously bad idea.
--
Posted via http://www.ruby-....

Ken Bloom

4/4/2008 1:38:00 PM

On Thu, 03 Apr 2008 20:42:28 -0500, Paul McMahon wrote:

> Peter Marks wrote:
>> I need to store one line method calls as strings in my db and then
>> apply them to an object. For example, I would store "name.upcase" in
>> the db and then somehow call person.name.upcase. Any idea how I might
>> pull this off?
>
> Well, you could do
>
> result = "name.upcase".split(".").inject(person) do |object, method|
> object.send(method)
> end
>
> but storing code in a database smells. Perhaps it would be better to
> find another approach that avoids storing the code in the first place

Your answer also smells. I'd use instance_eval.

result = person.instance_eval "name.upcase"

--Ken

--
Ken (Chanoch) Bloom. PhD candidate. Linguistic Cognition Laboratory.
Department of Computer Science. Illinois Institute of Technology.
http://www.iit.edu...

Peter Marks

4/4/2008 4:38:00 PM

Thanks for the input guys. instance_eval is exactly what I was looking
for.

I realize storing code in a database is kind of a funny idea, but I
don't see a better alternative for the problem I face. I need to
generate an array of object customized strings, specially selected from
a pool of about 500 string functions. The only alternative I see is
defining about 300 extra frivolous string methods in my model and
selecting among those based on database values. That doesn't seem any
less smelly.

What, specifically, concerns your the most about storing code in a
database? The risk of it becoming stale as your app changes? Performance
issues?

Thanks Again,

Peter
--
Posted via http://www.ruby-....

ara.t.howard

4/4/2008 4:59:00 PM

On Apr 4, 2008, at 10:37 AM, Peter Marks wrote:
> realize storing code in a database is kind of a funny idea, but I
> don't see a better alternative for the problem I face. I need to
> generate an array of object customized strings, specially selected
> from
> a pool of about 500 string functions. The only alternative I see is
> defining about 300 extra frivolous string methods in my model and
> selecting among those based on database values. That doesn't seem any
> less smelly.

there are many easy ways to handle this

i don't know what you mean by 'string function' but:

cfp:~ > cat a.rb
module StringMethods
class << self
def a
p :a
end

def b
p :b
end

def c
p :c
end
end
end

class Module
def string_methods *list
list.flatten.each do |m|
module_eval <<-code
def #{ m }(*a, &b)
StringMethods.#{ m }(*a, &b)
end
code
end
end
end

class Model
string_methods %w( a b )
end

m = Model.new

m.a
m.b
m.c

cfp:~ > ruby a.rb
:a
:b
a.rb:38: undefined method `c' for #<Model:0x278f8> (NoMethodError)

a @ http://codeforp...
--
we can deny everything, except that we have the possibility of being
better. simply reflect on that.
h.h. the 14th dalai lama

Peter Marks

4/4/2008 8:02:00 PM

ara.t.howard wrote:
> there are many easy ways to handle this
>
> i don't know what you mean by 'string function' but:

Thanks for your response. All I mean by 'string function' is a bit of
code that produces a string. Using my example, 'person.name' and
'person.name.upcase' are different string functions. I don't know if I'm
using the right terminology, but that's what I mean. If I was to define
all of these 'string functions' as individual methods, it would be a lot
of additional hard code and I would still have these method names locked
into the db.
--
Posted via http://www.ruby-....

Gaspard Bucher

4/4/2008 10:14:00 PM

The problem with code in the database is ... the database. If there is
a vulnerability in the way you store things in the database, a
malicious user could execute arbitrary code on your server through the
pipe you open.

a.instance_eval "`uname -a`" ---> print system name
a.instance_eval "`whoami`" ---> print user name
... explore, find a security weakness, create an account, go in and
steal the house !

It is good practice to keep some doors closed, just in case.

Gaspard

2008/4/4, Peter Marks <petertmarks@gmail.com>:
> ara.t.howard wrote:
> > there are many easy ways to handle this
> >
> > i don't know what you mean by 'string function' but:
>
>
> Thanks for your response. All I mean by 'string function' is a bit of
> code that produces a string. Using my example, 'person.name' and
> 'person.name.upcase' are different string functions. I don't know if I'm
> using the right terminology, but that's what I mean. If I was to define
> all of these 'string functions' as individual methods, it would be a lot
> of additional hard code and I would still have these method names locked
> into the db.
>
> --
> Posted via http://www.ruby-....
>
>

Peter Marks

4/4/2008 10:29:00 PM

Gaspard Bucher wrote:
> The problem with code in the database is ... the database. If there is
> a vulnerability in the way you store things in the database, a
> malicious user could execute arbitrary code on your server through the
> pipe you open.
>
> a.instance_eval "`uname -a`" ---> print system name
> a.instance_eval "`whoami`" ---> print user name
> ... explore, find a security weakness, create an account, go in and
> steal the house !
>
> It is good practice to keep some doors closed, just in case.
>
> Gaspard
>
> 2008/4/4, Peter Marks <petertmarks@gmail.com>:

Thanks for your response Gaspard. The code entering part of my app is
only for my app's backend and will not be publicly accessible. I
definitely need to take measures to ensure it stays that way though.
--
Posted via http://www.ruby-....

comp.lang.ruby

Using a string as executable code

Peter Marks

Xeno Campanoli

Paul McMahon

Phlip

Alex Wayne

Ken Bloom

Peter Marks

ara.t.howard

Peter Marks

Gaspard Bucher

Peter Marks

x Login to ForumsZone