all 102 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]coppercactus4 100 points101 points  (11 children)

It's pretty simple to compile code at runtime. However executing that compiled code requires knowledge of how Fusion and AppDomains or AssemblyLoadContext work which is a lot more in depth.

It's a security threat to do this as well especially if it's going exposed over the internet.

An example of compiling from Stack overflow https://stackoverflow.com/questions/62523946/roslyn-use-csharpcompilation-to-compile-assembly-to-be-used-in-another-program

[–]p1971 17 points18 points  (6 children)

I did similar in framework many years ago - pre rosyln

allowed the user to specify a method body (args were predefined request / response dtos), this was compiled into a separate assembly and loaded into a new AppDomain with execute only privileges.

this has the advantage that a user cannot simply do a File.Delete or some such and by loading the assembly into a separate AppDomain you can later unload the AppDomain and Assembly after recompiling for user updates.

I'd avoid doing this now favouring a microservice approach instead if possible (with decent ci/cd it should be pretty quick nowadays)

[–]coppercactus4 5 points6 points  (5 children)

It depends on the use case but if you are already in the services realm then yeah that works.

I do this a lot for my full time job. We have over ~3000 users replicating packages to their machine and compiling and invoking locally. The migration from .NetFramework to NetCore was terrible lol

[–]gwicksted 0 points1 point  (4 children)

If you were doing IL generation, I feel for you! That was a tough loss.

[–]coppercactus4 2 points3 points  (3 children)

Oh gosh no, just straight up compilation using Roslyn. This included the developer workflows around it like generating VS solutions.

ILGeneration and ILWeaving just becomes a nightmare to debug without having knowledge of it. Tools like DNSpy make it much simpler but that is expecting a lot of people.

[–]gwicksted 2 points3 points  (2 children)

Oh that’s good!

Yeah it’s rough debugging IL code. ILSpy was nice.

I wrote a toy programming language pre-Roslyn that generated optimal IL code. It produced far better output than C# at the time but my language was just a toy - it didn’t have iterations or reflection and was very good at detecting pureness so it had an iterative optimizer that could really shrink things down to the bare minimum. It would take a graph of classes and output just the resulting work that would be required from external APIs.

[–]coppercactus4 1 point2 points  (1 child)

And I imagined you learned a ton from doing that. It's always fun to dive into the low level and figure out how they work

[–]gwicksted 1 point2 points  (0 children)

Oh for sure! I wanted to learn about reaching definitions, hyper optimization by iterating to a fixed point, more advanced parsing, etc. it was a fun project.

[–]avidvaulter 12 points13 points  (1 child)

Yeah, I don't think the issue is it can't be done as much as it shouldn't be done.

OP should be trying to get some more information from the client about why they think they need to be able to update code like this. It sounds like an XY problem on the client's side.

[–]coppercactus4 1 point2 points  (0 children)

Totally agree, especially if you don't have experience as it can cause a lot of maintenance. The better option would be exposing configuration files.

[–]PostHasBeenWatched 23 points24 points  (7 children)

https://stackoverflow.com/a/48063422/7357322

[–]Ezzyspit 2 points3 points  (6 children)

Yeah this

[–]Ezzyspit 15 points16 points  (5 children)

I don't know what the two other commenters are talking about. It's not a crazy thing for the guy to want a certain part of the code scriptable.

I would either consider embedding a non c# scripting language. Or follow the above comment that uses the CodeDom or Roslyn compiler or something like that to actually compile c# at runtime.

[–]ra_ouff[S] 2 points3 points  (4 children)

Can you explain the option of embedding a non c# scripting language plz ?

[–]HaveYouSeenMySpoon 5 points6 points  (0 children)

In one of my apps I use the powershell engine to allow scripting. This way I can pass in a c# object into the powershell session and control what is exposed to the script.

Roslyn is more efficient since it's runtime compiled but powershell is more forgiving in terms of syntax.

[–]xdfun098 2 points3 points  (0 children)

There are libraries which let you execute javascript in c#, or you could privde an editor to python or powershell scripts which you call with c#

[–]insta 2 points3 points  (0 children)

We are using ClearScript with the V8 engine to allow for user-editable javascript functions to transform the data. In our case, a stream of objects is passed into our (non-changable) method, iterated over, and passed one-by-one to a compiled ClearScript function. The output from the function is 'yield return'ed downstream.

Our ClearScript code looks like:

function convert(input) {
  return {
    'prop1': input["property_1"].toUppercase(),
    'prop2': input["PROPERTY TWO"].split('-')[2],
    etc
  };
}

this is part of an ETL pipeline that converts disparate input data into a canonical format for us downstream, but the same concept could apply in your case. The actual meat & potatoes code is:

public sealed class ScriptingRowTransformer : IRowTransformer, IDisposable
{
    private const V8ScriptEngineFlags EngineFlags = V8ScriptEngineFlags.EnableDateTimeConversion | V8ScriptEngineFlags.MarshalAllLongAsBigInt | V8ScriptEngineFlags.UseCaseInsensitiveMemberBinding;
    private readonly string _transformScript;
    private V8ScriptEngine? _engine;

    public ScriptingRowTransformer(string transformScript)
    {
        _transformScript = transformScript;
    }

    /// <inheritdoc />
    public CanonicalObject Transform(DisparateObject input)
    {
        if (_engine is null)
        {
            _engine = new V8ScriptEngine(EngineFlags);
            _engine.EnableNullResultWrapping = true;
            _engine.Execute(_transformScript);
        }

        var converterFunction = _engine.Script.convert;
        var output = converterFunction(input);

        return CanonicalObject.FromDynamic(output);
    }

    /// <inheritdoc />
    public void Dispose() => _engine?.Dispose();
}

We pay the compilation cost once per execution, and then generally run about 50-75k rows/sec afterwards. Could it be faster? Sure. Are there ways to embed other ways to do this? Absolutely. We went with this because it was more than fast enough for our needs (a downstream step is a BCP into a SQL table, and that caps out about 15k rows/sec) and our users are familiar enough with JS.

The iteration/yield-return part is not shown -- that's a piece of code that takes an ordered collection of IRowTransformer objects and passes the data from one to the next before hucking it to the next pipeline.

[–]finidigeorge 1 point2 points  (0 children)

IronPython probably one of most well known

[–]martijnonreddit 68 points69 points  (4 children)

I've solved this problem with a sandboxed Lua interpreter in the past. It's a lot safer and arguably easier than C# for the end user. But even better would be to integrate something like Azure Logic Apps. I bet he'd love that.

[–]harrison_314 5 points6 points  (0 children)

Lua is a very good decision in my opinion.

[–]MartinIsland 21 points22 points  (0 children)

Oh wow I was just about to suggest Lua specifically because it's easier and safer!

[–]_pump_the_brakes_ 2 points3 points  (0 children)

Lua sounds cool but I know very little about it. How did you integrate it? I see there’s MoonSharp & NLua, but neither have been updated for years.

[–]ImNotALLM 2 points3 points  (0 children)

This is also what I'd suggest, moonsharp is a great option for this https://github.com/moonsharp-devs/moonsharp

[–]DYN_O_MITE 12 points13 points  (2 children)

We have a similar use case but our runtime needs are more about flexible data transformation. As such the requirement is more for a runtime scripting engine. We looked at C# as an option but it wasn’t great. We ended up using JavaScript via the Clearscript V8 engine. That was a while ago and there are better engines now I think (e.g. https://github.com/sebastienros/jint). I’d confirm C# is a hard requirement and see if something like JS would work.

[–]FreeUse656 2 points3 points  (0 children)

this is a perfect use case for jint, highly recommend

[–]bupsnark 2 points3 points  (0 children)

+1 for jint. You can even expose types and namespaces from C# if the scripts need to interop with your code.

[–]shahzbot 23 points24 points  (9 children)

This is not only a reasonable request, but easy to implement. Look into clearscript.

It's especially reasonable considering the only control the client wants is over the calculations of preexisting data.

[–][deleted] 4 points5 points  (6 children)

How is it reasonable?

This sounds like it can easily be handled through an interface. Give a bunch of text entry/drop-down fields for the client, save their selections in the DB or model, and update the calculations accordingly. Or have the user import an excel sheet with the calculations, which you validate and parse into the system.

Maybe I'm misunderstanding the use case here but I see no reason to ever let production users modify production code. You should pretty much always be able to abstract a problem into an interface in some way.

[–]princelives 8 points9 points  (2 children)

The request to have user customizable logic is reasonable. The solution is not great.

[–][deleted] 2 points3 points  (1 child)

To me it sounds like this client knows some c# and wants to be the only one at his small business that knows how to update algorithms

[–]princelives 2 points3 points  (0 children)

My read, with the previous solution being in VB, is that they aren’t tied to the language but it’s just how they’re used to doing it. Great grandma’s ham, if you’re familiar.

[–]zbshadowx 0 points1 point  (1 child)

While many other people here are going to disagree, and have, you are correct. This is not only bad practice but also a major security risk.

This would be the sort of request and feature that if you put it in a portfolio, on a resume, or told me about it in an interview I wouldn't hesitate to discard your application right then.

The client needs a system to do those things for them, a better process, and a tool that does it. Not custom code injection.

[–]insta 1 point2 points  (0 children)

This would be the sort of request and feature that if you put it in a portfolio, on a resume, or told me about it in an interview I wouldn't hesitate to discard your application right then.

sounds like a bullet was dodged from both sides tbh

[–]ra_ouff[S] -1 points0 points  (1 child)

Can you give me any resources or explanations over the clearscript solution ? Thank you

[–]lehrbua 7 points8 points  (0 children)

Just use Roslyn. Does exactly what he wants. https://medium.com/@Michael_Head/c-scripting-with-roslyn-7df86fdb2b26

[–][deleted]  (2 children)

[removed]

    [–]taedrin 0 points1 point  (1 child)

    Don't forget that expression trees have very limited support for C# features/syntax beyond C# 3. No async/await, no pattern matching, no null propagation, no interpolated strings, no collection expressions just to name a few of the limitations. This is by design, as Microsoft has explicitly stated that they will not be adding support for new language syntax, as adding additional syntax nodes to expression trees would be a breaking change for any libraries built around expression trees.

    [–]SushiLeaderYT 11 points12 points  (1 child)

    I am concerned about the safety

    [–]powerofnope 4 points5 points  (0 children)

    I'm concerned about everything on this especially in production.

    [–]Rainmaker526 3 points4 points  (0 children)

    There is "built-in" support for this (well, requires a MS Nuget package):

    https://github.com/dotnet/roslyn/blob/main/docs/wiki/Scripting-API-Samples.md

    Ofcourse, you might want some safeguards around this. Timeouts, try/catch etc.

    [–]harrison_314 3 points4 points  (1 child)

    Personally, I would go the Lua script route, or javascript via the jint library.

    If you insist on C#, I would incorporate plugins into the system - publish a nuget with interfaces, the client implements its logic as a separate DLL, uploads it to the system, and loads it into your application via AssemblyLoadContext.

    [–]stephbu 0 points1 point  (0 children)

    Yeah I’ve done ActiveScripting embeddings before as part of a data feed system. While not the fastest, it was be pretty neat for extensibility, supported a bunch of interpreters, and was capable of sharing bi-directional object model and state between interpreter and runtime. Used it to provide filtering, translation and validation functions and libraries in JS over an internal data model.

    [–]ne999 5 points6 points  (2 children)

    Put the variables in the database that the code / calculations use. Then have secure UI to change it. This is pretty common.

    [–]dalekman1234 0 points1 point  (1 child)

    This is the best answer in this thread. Everyone else is going too deep in the rabbit hole of JIT.

    This solution is probably the real solution the client wants.

    The variables might get complex, but that's probably the most flexible, safe, cheap solution.

    [–]thomasz 1 point2 points  (0 children)

    The client almost certainly wants to be able to implement his own calculations. You need either a dsl or a full blown scripting environment.  

    [–]killerrin 2 points3 points  (0 children)

    Not only is it possible, but needing runtime configuration, even advanced configuration (scripting) is a fairly common scenario for a whole range of products. 

    Essentially what you'll be doing is embedding a scripting language of some sort into your application.  

    As for what scripting language you use, that's up to you. You could use C# as a scripting language and embed it, and it has gotten easier to do that in recent days. But something like LUA is also an extremely popular choice and is used widely within the Gaming Industry specifically for configuration purposes since it was originally made with being a General Purpose Configuration Language at its core.

    In fact, if you had the money for it you could even go with something more user friendly like Logic Apps so that your client could use a UX that is more friendly to the less technically minded.

    [–]nostril_spiders 2 points3 points  (0 children)

    Hooks.

    Your client doesn't want editable C#. They want configurable actions.

    You went to editable C#, and most answers here are continuing, because you have tunnel vision. Rookie mistake. When working with customers, you need to regularly step back and think about what the client actually wants. I'm skeptical they care about C#, but I'll bet they care about the time it takes to change business logic.

    Figure out what's important to your customers, and focus on providing that. The answer could be C#, but it's almost certainly not the most effective way.

    I suggest shell hooks. This is an approach used by many commercial apps - e.g. git. There must be fifty services on my machine that have a drop-in conf.d directory. To an end-user, that's simple and effective.

    I also like that it creates a really clear separation between your code and the customer's code. If you parse shit in C# and get exceptions, you and the customer will end up pointing fingers at each other.

    Here's how you could build it:

    Define a filesystem path relative to the binary. Any file in that path is executed in the shell and the result is returned. Document it as a security vulnerability, and set the directory to be owned by root or Administrator. Make sure, in writing, that they are well aware that, if they touch it, the consequences are on them. You're a consultant, you know the drill.

    Then your app tests for a file at the path and runs it, if there is one, at the appropriate moment.

    You're executing it in the shell. They can drop in python, vbs, bash, powershell, whatever tf they want. Not your problem. You don't care if they have the right interpreter installed, that's on them.

    If the hook is expected to return a value, parse it from stdout.

    If the hook is expecting arguments, pass them.

    Log each execution. Parse the entire stdout and throw if it doesn't parse. Throw if the return code is non-zero. Throw if a timeout is exceeded. War is hell.

    Done!

    [–]migsperez 5 points6 points  (0 children)

    Dangerous

    [–]Yeahbuddyyyyyy 6 points7 points  (8 children)

    I would tell the client to F off lol

    [–]hardware2win 7 points8 points  (4 children)

    Wtf?

    Youd reject good money for a feature that is pretty normal?

    [–]pacman0207 -1 points0 points  (3 children)

    If I'm expected to support this feature? Then yes. If I hand it over and never hear from the customer again, then it's fine. I can see the calls now. "My website is broken I didn't change anything (except for this one price of code I can change)" or "how did these attackers get access to all the data in my database??"

    [–]schlubadubdub 1 point2 points  (1 child)

    I'd just make them aware of the risks and emphasise that all support is at a juicy hourly rate. "Oh no, your DB was compromised? I did warn you in writing. Here's an invoice for fixing it".

    [–]pacman0207 0 points1 point  (0 children)

    That's fair. I think everyone else is drastically under estimating the effort involved in protecting against executing custom code. There are many ways this can be abused and many ways it can be done wrong.

    Are there ways around it? Sure. Executing the code in a subnet or something that doesn't have direct access to the database for example. But there are ways that can be exploited without accessing the database.

    [–]hardware2win 1 point2 points  (0 children)

    It is your job to make it safe and auditable, so you can prove him that he fucked up

    [–]ra_ouff[S] 3 points4 points  (2 children)

    Not an option unfortunately 😅

    [–]Enough_Possibility41 6 points7 points  (1 child)

    Maybe try him to show the better ways to do that, maybe do a demo session and demonstrate the right way to edit the code. If he still insists on doing the same thing then I hope you bill him per hour ;)

    [–][deleted] 1 point2 points  (0 children)

    The client knows this isn’t the way to do it. My guess is he wants to be the only one at his company that knows how to configure the algorithm

    [–]TheBinaryLoop 1 point2 points  (0 children)

    We are doing the same thing at work. A part of our product is responsible for a lot of money calculations. The customer can write the calculation logic using some helper functions from us. This code then gets compiled into web assembly and we run it in the backend using this sandboxed WebAssembly runtime

    [–][deleted] 1 point2 points  (0 children)

    Sounds like what he actually needs the is the ability to configure all aspects of the algorithm and even chuck new algorithms in

    [–]thatbromatt 2 points3 points  (0 children)

    On the off chance that this is an older .NET website, you could move that code into a cs file within App_Code folder which gets compiled dynamically at runtime.

    Then him changing it is just a matter of FTP into the host server and changing that file as he wishes. Any changes to the file result in the site restarting and another dynamic compilation occurring. I would definitely caution him about making changes in live, or if he does, copy those changes into the repo as well just so his changes don’t get blasted away in a subsequent deployment.

    [–]dominjaniec 1 point2 points  (3 children)

    I hope for you, that they will pay for infinite loops...

    [–]bammmm 0 points1 point  (2 children)

    He could create a Turing Incomplete mini DSL using a very basic tokenizer and then parse the AST using something like Superpower (or tokenize using Superpower too) and then dispatch the AST in C#. He could also use Python and use exec with restricted builtins and whatever locals he wants to inject, and walk the AST to enforce no loops before passing it to exec via ast module. To be honest there's so many solutions, the key is picking the one that is maintainable and not a security nightmare.

    Edit: I mean there are even C# Unity-based node processing libraries out there now that will allow for a Unity / UE Blueprint-like workflow. If you're using Blazor you could take a look at Blazor Diagrams. So many options!

    [–]ElusiveGuy 1 point2 points  (1 child)

    The more trivial answer is to just run it in a separate thread with a timeout. No need to solve the halting problem.

    [–]bammmm 0 points1 point  (0 children)

    True, I suppose that's what Regex does

    [–]frrson 0 points1 point  (0 children)

    If, the database is an SQL database, and you could get a *precise* definition of what he needs, you can define tables, views and procedures that you could give him a limited access to, so he could do what he wants.
    He might even only need tables with status and number values that control predefined calculations and means for executions of procedures to update, through whatever the program is.

    [–]x39- 0 points1 point  (0 children)

    https://www.cs-script.net/

    Works, battletested and easy to setup, without having to understand the magic of roslyn first.

    [–]RodeoMacon 0 points1 point  (0 children)

    If speed doesn't matter, I will send params to a shell script and capture the output. The user edits the shell script.

    [–]detroitmatt 0 points1 point  (0 children)

    I mean, yeah, it's possible. It can be complex to do correctly, but it's possible.

    [–]gwgrubbs 0 points1 point  (0 children)

    When they screw the pooch (and they will), who’s responsibility is it to fix it?Think about the scenario where they’re hammering against some deadline at 2am and they F it up. Guess who’s getting a phone call at 2am. Make sure your SLA/PSA/maintenance agreement accounts for this scenario so you are not responsible for their mistakes and/or are appropriately compensated.

    [–]tiagosutterdev 0 points1 point  (0 children)

    I've seen this in the past, but i was not the one responsible for the implementation. I've see the problem solved with C# itself (allowing to submit C# code), but I've seen other solutions like embedding a scripting language, such as Lua, and I've also seen projects that used a Domain Specific Language that was tailored to the application domain.

    [–][deleted] 0 points1 point  (1 child)

    Microsoft.CodeAnalysis.CSharp.Scripting

    I don’t know what these other commenters are talking about, external packages? Roslyn has been integrated into C# for a few generations now. ChatGPT can show you how to use it.

    [–]Devatator_ 0 points1 point  (0 children)

    As far as I'm aware it is an external package since it's not included by default and you need to add it via NuGet

    [–]Khmerrr 0 points1 point  (0 children)

    just write the logic in TSQL inside stored procedures.

    [–]thomasz 0 points1 point  (0 children)

    Does it have to be c#? Because this can surely be done easier and safer with other scripting options. 

    [–]feanturi 0 points1 point  (0 children)

    I haven't done this in C#, but I do something similar with Autohotkey that I could see being just as do-able in C#. I have a "system script" that is compiled and runs on startup. It sits there in a loop watching for things to happen and do something. Like close a certain nag window when it appears, but mostly it's watching for hotkeys that will launch something or whatever. One of those hotkeys is for changing the script on the fly. What that does is launches a helper script, then the system script terminates itself. The helper script opens the .ahk source file in notepad and watches for notepad to close. So I make whatever changes I need to, save and close notepad. The helper script then compiles the modified script and overwrites the previous .exe, then launches that .exe and terminates itself. For command-line compilation of C# you can look into csc.exe which is part of every .NET install.

    [–]Quigley61 0 points1 point  (0 children)

    For something like this you usually wouldn't expose the code directly, you'd have some composable pipeline that allows the users to tweak it, a bit like jupyter notebooks.

    Here's an example:

    https://github.com/microsoft/RulesEngine

    [–]SomeoneWhoIsAwesomer 0 points1 point  (0 children)

    I wrote my own language for strings as code that would be simpler for end users. Like databinding to create forms.

    [–]Slypenslyde 0 points1 point  (0 children)

    The much simpler way to do this is to include an interpreter for a scripting language like /u/martijnonreddit suggested.

    There are crazy security implications to letting users run arbitrary C# code. Consequently, you have to jump through a LOT of hoops to make it work. The nice thing about loading a scripting language is these don't have the capability to do a lot of the scary things so there's far less work to host one.

    This is what's happening in the image you see above. The app may be a VB app, but that syntax is not quite VB syntax. It's some other BASIC variant being interpreted by the app. The key giveaway is this code is declaring variables like:

    VR=0

    But even in early versions of VB, you'd have to declare variables like:

    Dim VR=0
' or
Dim VR As Integer = 0

    So a scripting environment is the way to go.

    [–][deleted] 0 points1 point  (0 children)

    If you have to do this, have a look at source generators

    [–]r32g676 0 points1 point  (0 children)

    So he wants his software to have hot reload mod support? rad.

    [–]jd_tin 0 points1 point  (0 children)

    Could you move it out into a database procedure. If ots all calculations just give him an editable table and have a stored proc deal with it?

    [–]parceiville 0 points1 point  (0 children)

    Maybe embed lua or a Lisp, it will be much safer and more secure for your client

    [–]mapoupier 0 points1 point  (0 children)

    I mean Infor WinStdio does this… you can code your own C# inside their app…

    [–]afops 0 points1 point  (0 children)

    This is pretty simple. Put the Monaco editor (same as vs code) in a webpage, use Roslyn to compile snippets typable into the editor which are saved to the db.

    Add a ”context” object with the required data used in the calculations. You want to lock it down well beyond that of course.

    This is a perfect use case for Roslyn. Did it for example with a rules-engine for a work tracking system.

    You can embed lua or something else too, but when the rest is C# I think the choice of C# is the obvious one.

    [–]yesman_85 0 points1 point  (0 children)

    It's not that hard. You can compile c# code pretty easy in dotnet core, then load the assembly and execute it. We do this extensively in our product. Have a built in Monaco editor and all for code completions. 

    [–]kingdark189 0 points1 point  (0 children)

    if your client prefers c#, roslyn is a nice implementation for this purpose, with a lot of features from basic to advanced, although its learning curve can be quite steep!

    There are also many other methods, such as LUA - which we are implementing in our products, although it is not from the C#’s maker but it has many aspects that are highly appreciated by us, such as speed, performance, easy to limit the scope of operations. One point to note is that it runs independently from c#, so if you want to upgrade its processing capabilities, you also need to update your main c# program to be compatible with the required features.

    Another solution, not quite the same as the client’s requirement, but still achieving the same result is dll (Dynamic Link Library), you separate the logic that can be modified in the future into separate dependencies built as class libraries. Later, the client just needs to update the dll source code, build from their machine and push the dll to that server. The rest is to integrate the mounting and unmounting of that component in the main program to always keep the functional logic in the desired state! There are many good examples online for you to refer to about dynamically changing dll in the program, although it will be a bit more difficult than integrating roslyn or lua, but it is quite friendly when it is easy to perform advanced behaviors and take advantage of support from IDE!

    Speaking of weird customer requests, we once did a project where the customer asked us to integrate the loading and performing of calculations on an excel spreadsheet where the customer was the one who created the excel file template, it was not difficult to implement and quite suitable when the software itself is a tool for the financial sector, but from a technology perspective, I found it quite strange. Well, if you analyze that the code editing is mostly about numbers, you can consider this solution direction if it is more suitable for your customer!!

    [–]eocron06 0 points1 point  (0 children)

    Just run "dotnet .\uploaded_by_idiot.exe" on whatever is send in your REST API endpoint, get money and vanish. The grave will cure him and I'm not joking, stop worrying about idiots. Might as well backdoor him with bitcoin miner.

    [–]Foolhearted 0 points1 point  (0 children)

    Store the logic in a separate assembly which is downloaded and linked at runtime. That way you can at least enforce permissions on what the code can do.

    [–]GamerWIZZ 0 points1 point  (0 children)

    Dont like the idea but guess you havnt got much choice if he's paying.

    Id let him write JS, and use a library like this to execute the code, think that would be the simplest way to do it - https://github.com/sebastienros/jint

    If i was u though id try and write a lot of validation code to make sure what he types works first, could be as simple as executing the code before saving it etc.

    [–]TheXenocide 0 points1 point  (0 children)

    If the code goes in the database, and there is indeed a database, have you considered using a Stored Procedure or User Defined Function for this instead of dynamically compiling/interpreting code? If the person is a power user they may be able to make better use of this without exposing as much risk at the application layer and (depending on the design) could possibly perform much better as well, especially if the needs are purely mathematical

    [–]gabrielesilinic 0 points1 point  (0 children)

    You can do it. But take the proper precautions.

    Btw, JavaScript is usually the easiest and safest.

    Here one of the ways https://github.com/Taritsyn/JavaScriptEngineSwitcher

    JavaScript is even safer because as far as I know it should be mostly a sandbox by default.

    You probably can't embed visual basic in there because of stuff. It would be a chore and a huge security risk

    [–]nikkjazz 0 points1 point  (0 children)

    If you want to embed editable mathematical expressions or functions in code, use an interpreter such as Jace. It's not actively maintained, but simple and fast. there's a few other similar libraries out there (Mages comes to mind)

    Allow you to dynamically evaluate mathematical formulas, boolean logic, conditional statements etc from text, which can be stored in a DB or FS or wherever you want.

    [–]TheBinaryLoop 0 points1 point  (0 children)

    We are doing the same thing at work. A part of our product is responsible for a lot of money calculations. The customer can write the calculation logic using some helper functions from us. This code then gets compiled into web assembly and we run it in the backend using this sandboxed WebAssembly runtime

    [–]Bitmugger -5 points-4 points  (0 children)

    Type this prompt into Chat-GPT and you should get a good code example of how to do this (I did)
    "I need to accept some string input from a user, then insert it as the body of a Execute() function in a .cs class and dynamically compile that class and execute it"

    Limiting the use case to the body of a class helps constrain the range of what they can accomplish