How to rescue an eval in Ruby?

Brent already got an answer that works, but I recommend rescuing from the smallest set of exceptions you can get away with. This makes sure you’re not accidentally gobbling up something you don’t mean to be. Thus, begin puts eval(good_str) puts eval(bad_str) rescue SyntaxError => se puts ‘RESCUED!’ end

Python eval: is it still dangerous if I disable builtins and attribute access?

I’m going to mention one of the new features of Python 3.6 – f-strings. They can evaluate expressions, >>> eval(‘f”{().__class__.__base__}”‘, {‘__builtins__’: None}, {}) “<class ‘object’>” but the attribute access won’t be detected by Python’s tokenizer: 0,0-0,0: ENCODING ‘utf-8’ 1,0-1,1: ERRORTOKEN “‘” 1,1-1,27: STRING ‘f”{().__class__.__base__}”‘ 2,0-2,0: ENDMARKER ”

Safely sandbox and execute user submitted JavaScript?

You can use sandbox support in nodejs with vm.runInContext(‘js code’, context), sample in api documentation: https://nodejs.org/api/vm.html#vm_vm_runinthiscontext_code_options const util = require(‘util’); const vm = require(‘vm’); const sandbox = { globalVar: 1 }; vm.createContext(sandbox); for (var i = 0; i < 10; ++i) { vm.runInContext(‘globalVar *= 2;’, sandbox); } console.log(util.inspect(sandbox)); // { globalVar: 1024 } WARN: As … Read more

Python: make eval safe [duplicate]

are eval’s security issues fixable or are there just too many tiny details to get it working right? Definitely the latter — a clever hacker will always manage to find a way around your precautions. If you’re satisfied with plain expressions using elementary-type literals only, use ast.literal_eval — that’s what it’s for! For anything fancier, … Read more

Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)