Parsing Ruby code from database possible?

Security concerns aside, if I want to let the user write Rails code to
my MySql database (e.g. <%= "Hello world %>, and the application would
then parse the code, would that be possible?

On Sat, 6 Oct 2007 20:59:27 +0200, Bob S. wrote:

Security concerns aside, if I want to let the user write Rails code to
my MySql database (e.g. <%= "Hello world %>, and the application would
then parse the code, would that be possible?

Sure:

class MyModel < ActiveRecord::Base
def do_something_dangerous
eval self.a_text_field_containing_ruby_code
end
end


Jay L. |
Boston, MA | My character doesn’t like it when they
Faster: jay at jay dot fm | cry or shout or hit.
http://www.jay.fm | - Kristoffer

Thanks a bunch, Jay! That was fast :slight_smile:

Hi Jody!

That was what I thought might work too :slight_smile: Thanks for the great advice. I
actually just installed the liquid plugin before I saw your post, and
I’ll look into Mephisto.

Thanks a bunch again for the fabulous advice, Jody.

…and I can’t believe I just spelled your name incorrectly, Jodi :wink:

Bob -

On 6-Oct-07, at 3:15 PM, Bob S. wrote:

Hi Jody!

That was what I thought might work too :slight_smile: Thanks for the great
advice. I
actually just installed the liquid plugin before I saw your post, and
I’ll look into Mephisto.

After writing I realized that depending on your needs there might be
another option - I’m looking at this option right now.

If you’re not doing templating, FFSB[1] (_why’s FreakyFreaky Sandbox)
might be an option.

Fully ruby sandboxed syntax - not geared to templates though. The
syntax is much sweeter though - the ruby we love - I’ve found liquid
syntax to be a bit paintful but certainly a good solution for end
user templating.

Unfortunately there hasn’t been a commit to FFSB since late 2006.
I’ve presently asked _why the status - no response yet.

(and np on the spelling. common mistake. Mom was a hippy who loved
boys with girls names err spellings)

Jodi
[1] http://code.whytheluckystiff.net/sandbox/

Howdy Bob -

On 6-Oct-07, at 2:59 PM, Bob S. wrote:

Security concerns aside, if I want to let the user write Rails code to
my MySql database (e.g. <%= "Hello world %>, and the application would
then parse the code, would that be possible?

(warning "not what you asked, but imo a better solution to user
generated content)

I have implemented such a feature for email templates using the
liquid templating engine.

You can benefit from flow control, operators and sandboxing.

Good resources are:

http://mephistoblog.com/ (look at the mephisto source for
implementation)

providing a context to liquid is the toughest part; not so tough -
just need to explicitly tell liquid what objects, attributes
associations are avail.

Let me know if a bit of code can help you move forward.

cheers,
Jodi