String to Class?


I’m getting a class name as string via params[:class_name]. How can I access the class?


params[:class_name] => “Post”

and then something like


Try String#constantize:


Stay away from eval.

Use String#constantize or Object#get_const


Jason, Why stay away from eval?

I’m currently using eval to dynamically build a restful url_helper reference. Is this also a bad case of using eval fro the same reason/?

ala: eval(“change_state_#{}_url(#{})”)

(sorry to hijack - hopefully this adds to the discussion!)



General Partner

The nNovation Group inc.


class SomethingsController < ApplicationController     def tricky       ...       eval(params[:my_param])       ...     end   end

Then consider what a request like this might do to your server"rm%20-rf%20%2F")



  The reason to stay away from eval is because you want to avoid evaling anything user generated. The OP is trying to make a class from an item in the params object. DANGER!! look here:

how bout eval(params[:class_name].capitalize + ".find(:first)") ?

  Now anyone can try to enter all kinds of things in the params[:class_name] form field. And it will get evaled without any checking on the server. Bad!

  If you can avoid eval please do so at all costs. class_Eval or instance_eval with blocks instead of strings are better. But in your example:


should be written like this:

send("change_state_#{}_url", "#{}")


-- Ezra Zygmuntowicz-- Lead Rails Evangelist -- -- Engine Yard, Serious Rails Hosting -- (866) 518-YARD (9273)

Thanx Ezra and Michael.

I understood that Send limitted the scope(object calls) of damage that can be cause by eval - and a object.send("#{params[:command]) is dangerous enough. Whereby Eval's scope isn't limited.

In my particular case the_model is instantiate by the controller action - so eval would likely be as 'safe' as send (?).

My questions was questioning what additional protection that send provides - is there any protection provided above and beyond the localization of the class executing the arbritary code?

I think my learning here is that regardless of means(send, eval, etc), that additionally checking should be done on the methods being called - limiting the scope of the methods that can be called (I've recently used acts_as_state_machine to limit sends based upon model state and other guards - this provides funnel that sends must qualify before running - and still give me the benefit of a measure of dynamism.

ala:    instance.send("#{params[:command]}") if Class.legitimate_commands.include?(params[:command])

thanks for teaching this ruby-nuby. Jodi

eval("change_state_#{}_url(# {})")

should be written like this:

send("change_state_#{}_url", "# {}")

Hey Ezra -

the send didn't succeed as : undefined method `change_state_project_url(:id => 85, :event => 'change_project_info')' for #<#<Class:0x345af20>:0x345aef8>

note: this code is running inside application_helper - not sure what self is inside a helper, but it doesn't know about rest url helpers.

Do you know what object 'owns' these methods? I gather they are Class methods.

thanx. Jodi

As everybody has said, avoid eval - use const_get to retrieve a constant. If you want a class from a string, here's a simple implementation:

class String   def to_class     Object.const_get(self)   end end