This sounds freaky. I'm curious, can you post an exploit against flatten_stringeval?.

No. Your code actually is safe. (I have to admit it took some time for me to convince myself of this.) However the point I make is valid. Using eval for things like this is an extremely dangerous thing. A very subtle error could open an exploit. (Have a hunt around the archives, merlyn has stung people a few times this way, as have others.)

As you point out here, everything is quoted correctly, and you arent actually interpolating values in the eval. However only slight changes to your code, an omitted backslash, etc could cause huge problems. If you had said "Note particularly that we dont allow interpolation of raw data to avoid potential security problems" or something to that effect I wouldnt have said a thing. Sometimes its not necessarily sufficient to post something that is correct. If its dangerous but correct you should IMO explain how to do it safely. (And why you are posting it.)

However I do feel I owe you an apology. This is the second time in a short time that I have misread one of your posts. I promise ill read your nodes more closely, but do you think you could be a little clearer? Even realizing that you have in fact avoided the eval trap I would have replied pointing out how thin the ice is in this area. (As you didnt.)

Anyway, cheers. :-)