When you need to execute some external program you'd usually use backticks or %x():
%x(mplayer #{song.file})This leads you to "Command Injection" vulnerability. If song.file is foo& sudo cat /etc/passwd then Ruby will actually run:
mplayer foo& sudo cat /etc/passwdTo properly escape shell input use Shellwords.shellescape:
%x(mplayer #{song.file.shellecape})
# runs mplayer foo\&\ sudo\ cat\ /etc/passwd