Using a string as executable code

I need to store one line method calls as strings in my db and then apply
them to an object. For example, I would store "name.upcase" in the db
and then somehow call person.name.upcase. Any idea how I might pull this
off?

Thanks,

Peter

Peter Marks wrote:

I need to store one line method calls as strings in my db and then apply
them to an object. For example, I would store "name.upcase" in the db
and then somehow call person.name.upcase. Any idea how I might pull this
off?

Thanks,

Peter

Don't Do It!

Peter Marks wrote:

I need to store one line method calls as strings in my db and then apply
them to an object. For example, I would store "name.upcase" in the db
and then somehow call person.name.upcase. Any idea how I might pull this
off?

Well, you could do

result = "name.upcase".split(".").inject(person) do |object, method|
   object.send(method)
end

but storing code in a database smells. Perhaps it would be better to find another approach that avoids storing the code in the first place

Paul McMahon wrote:

Well, you could do

result = "name.upcase".split(".").inject(person) do |object, method|
   object.send(method)
end

but storing code in a database smells. Perhaps it would be better to
find another approach that avoids storing the code in the first place

Or

eval "object.#{object.stored_code}"

But really. This sounds like a horrendously bad idea.

Your answer also smells. I'd use instance_eval.

result = person.instance_eval "name.upcase"

--Ken

Thanks for the input guys. instance_eval is exactly what I was looking
for.

I realize storing code in a database is kind of a funny idea, but I
don't see a better alternative for the problem I face. I need to
generate an array of object customized strings, specially selected from
a pool of about 500 string functions. The only alternative I see is
defining about 300 extra frivolous string methods in my model and
selecting among those based on database values. That doesn't seem any
less smelly.

What, specifically, concerns your the most about storing code in a
database? The risk of it becoming stale as your app changes? Performance
issues?

Thanks Again,

Peter

there are many easy ways to handle this

i don't know what you mean by 'string function' but:

cfp:~ > cat a.rb
module StringMethods
   class << self
     def a
       p :a
     end

     def b
       p :b
     end

     def c
       p :c
     end
   end
end

class Module
   def string_methods *list
     list.flatten.each do |m|
       module_eval <<-code
         def #{ m }(*a, &b)
           StringMethods.#{ m }(*a, &b)
         end
       code
     end
   end
end

class Model
   string_methods %w( a b )
end

m = Model.new

m.a
m.b
m.c

cfp:~ > ruby a.rb
:a
:b
a.rb:38: undefined method `c' for #<Model:0x278f8> (NoMethodError)

a @ http://codeforpeople.com/

ara.t.howard wrote:

there are many easy ways to handle this

i don't know what you mean by 'string function' but:

Thanks for your response. All I mean by 'string function' is a bit of
code that produces a string. Using my example, 'person.name' and
'person.name.upcase' are different string functions. I don't know if I'm
using the right terminology, but that's what I mean. If I was to define
all of these 'string functions' as individual methods, it would be a lot
of additional hard code and I would still have these method names locked
into the db.

The problem with code in the database is ... the database. If there is
a vulnerability in the way you store things in the database, a
malicious user could execute arbitrary code on your server through the
pipe you open.

a.instance_eval "`uname -a`" ---> print system name
a.instance_eval "`whoami`" ---> print user name
... explore, find a security weakness, create an account, go in and
steal the house !

It is good practice to keep some doors closed, just in case.

Gaspard

i think you are missing the point:

('a' .. 'z').each do |m|

   define_method(m){ m }

end

defines 26 methods - did you read my code? you easily define these compactly in one module and cherry pick them into a specific class with zero db code involved.

why don't you spell out your exact problem and we can show you how.

cheers.

a @ http://codeforpeople.com/

Gaspard Bucher wrote:

The problem with code in the database is ... the database. If there is
a vulnerability in the way you store things in the database, a
malicious user could execute arbitrary code on your server through the
pipe you open.

a.instance_eval "`uname -a`" ---> print system name
a.instance_eval "`whoami`" ---> print user name
... explore, find a security weakness, create an account, go in and
steal the house !

It is good practice to keep some doors closed, just in case.

Gaspard

Thanks for your response Gaspard. The code entering part of my app is
only for my app's backend and will not be publicly accessible. I
definitely need to take measures to ensure it stays that way though.

Peter Marks wrote:

Thanks for your response Gaspard. The code entering part of my app is
only for my app's backend and will not be publicly accessible. I
definitely need to take measures to ensure it stays that way though.

It won't. That would beat all the odds of established computer security
track records.

Another place to consider: You are introducing one more point of failure
for you app, as well as a dependency that might not be necessary.

Did you look at metaprogramming? Marshal?

And a question you might want to ask yourself: Do I want to be starring
on DailyWTF as "the developer before me"?

- -- Phillip Gawlowski

Phillip Gawlowski wrote:

And a question you might want to ask yourself: Do I want to be starring
on DailyWTF as "the developer before me"?

Haha, point taken. I'm not familiar with metaprogramming or marshall.
I'm looking into both.

ara.t.howard wrote:
did you read my code?

I did, but I must not understand all of it. Sorry.

ara.t.howard wrote:

why don't you spell out your exact problem and we can show you how.

My db schema has a 'templates' table, a 'fields' table as well as a
'template_fields' join table that connects 'fields' to 'templates'.

'fields' needs to contain information to produce a customized text
string for a particular object. Intuitively, I thought I needed to store
string generating code as a string in 'fields' and execute it against my
object. It was suggested I could do that like this:

person.instance_eval field.code

I use the resulting string and the field's 'name' to assemble a hash for
each field connected to a template:

      rehash = {}
      for field in template.fields
        rehash[field.name] = person.instance_eval field.code
      end

I then use the hash of generated strings and field names for a find and
replace function.

OK. So your problem is offering database stored templates to your users.

I have solved this problem for zena by creating a custom template
language called zafu. The template is compiled to erb and saved as a
file.

To manage showing attributes of objects, this is how I worked this out
(simplified):

1. in the model, I declare readable attributes:
class Page
  zafu_readable :name, :created_at, :title, ...
end

2. zafu code:
<r:show attr='title'/>

3. compile template (done once when changed, not on every call to the template)
erb_code << Page.zafu_readable?(attribute) ? "<%= @node.#{attribute}
%>" : "bad attribute '#{attribute}'"

If you want to 'render' the template on each call, you could just keep
the 'readable?' idea:

Example with "person.name" :

template: [[person:name]]

template.gsub (/\[\[(\w):(\w)\]\]/) do
  object = $1
  field = $2
  if object = get_object(object)
    if object.class.readable_attribute?(field)
      object.instance_eval field
    else
      "invalid attribute '#{field}' for object of class '#{object.class}'"
    end
  else
    "invalid object '#{object}'"
  end
end

This is much more secure, avoids the fields table and keeps Model
information in the model. If you are in rails, you could also use the
'attr_protected/attr_accessible' notion.

Gaspard