The String#constantize
method is a feature that makes rails fun to code with. This method converts a string to the constant that the string contains (or throws a NameError
if there is no such constant). It makes it easy to store class-types in databases as strings and to code controllers that work with classes of the same duck type.
Most people know that eval
on user data is dangerous, but noboddy seems to care about constantize
. Beware, it is also dangerous and you should constantize with care!
Continue reading
Category: Ruby
Avoiding Shell Injection in Ruby, Python and PHP.
I recently found a shell injection bug in some Ruby-gem I use.
Shell injections have scared me for a long time and I usually prefer to whitelist certain characters/patterns rather than to blacklist. This means that the system fails to the save side. Unfortunally it usually does fail – my whitelisting is to rigorous and data that would not cause any problems gets rejected. So I decided to take the opportunity to investigate how to prevent shell injection in my favorite scripting language (Python), the language I found the problem in and finally the language that I can not avoid (PHP).
Mysql::Error: Deadlock found when trying to get lock
In one of my rails-projects we had problems with deadlocks during transactions:
"A ActiveRecord::StatementInvalid occurred in ...: Mysql::Error: Deadlock found when trying to get lock "