3

I can run the following command from my rails app:

Hash.from_xml(%x{curl -d "admin=true" http://localhost:8888} ) rescue nil

now I want to replace the "admin=true" by a variable If I have x = "admin=true" how can I then write the above command?

Thanks a lot

Sergey K.
  • 24,894
  • 13
  • 106
  • 174
pompon
  • 31
  • 1
  • 2
  • 1
    Please, please be careful using code like this. If you every make a query on behalf of user and pass untrusted input on to curl, this could lead to a shell injection attack. That said, using a fixed string should be fine. – bchurchill Feb 13 '13 at 04:35

2 Answers2

4

You can use curl directly in Ruby instead depending on command and hardcoded parameters - current code is harder to maintain and doesn't tell you exactly what may be wrong if something bad happens. See ruby curl.

The ideal option actually would be dropping use curl and use rest-client.

Hash.from_xml(RestClient.get('http://localhost:8888/', :admin=>true))

No dependencies - just pure ruby. Proper exceptions raised in any case. Trivial parameter specing. POST verb available.

gertas
  • 16,869
  • 1
  • 76
  • 58
0
x = %Q{"admin=true"}
Hash.from_xml(%x{curl -d "#{x}" http://localhost:8888} ) rescue nil

The %Q{}syntax indicates a quoted string, which is kind of like a "super"/"enhanced" version of a double-quoted string.

The #{} syntax inside %x{} is called interpolation and it allows to evaluate Ruby code inside a string.

Ryan Bigg
  • 106,965
  • 23
  • 235
  • 261
  • 1
    I wouldn't recommend this: if 'admin=true' is generated dynamically, you need to be absolutely sure that this string does not contain anything that could be used for a shell injection attack [this is generally tough to do]. And, if it's not generated dynamically then there's no reason to use %Q. gertas' solution is much more robust. – bchurchill Feb 13 '13 at 04:37