This is the most frightening line of code I’ve seen in my lifetime:

@model = eval(params[:item_type].classify)

This was in a Rails controller.

For any of you not horrified by the above code, allow me to explain. This would allow an attacker to put arbitrary ruby code into a url query parameter, and have it be executed with the full permissions of your rails application.

Now, since it seems this needs some repeating:

Never use eval on user inputs. Especially un-sanitized user inputs.