Re: Using the eval() command

Tue, 10 Mar 2015 14:50:32 -0700 

Hi Henry,

On 03/10/2015 03:25 PM, Henry Versemann wrote:
> I have a new dictionary that I want to build, using data from another
> dictionary. I have a view which is receiving a single key/value pair
> from the original dictionary. Then in the view I've defined the new
> dictionary like this:
> 
> innerDict = {}  
> 
> Now I want to make this as dynamic as possible so I'm trying to use the
> "eval()" statement below to add the new key/value pair to the new
> dictionary, which is declared above. Will the following code work to
> actually add the new key/value pair to the new dictionary?
> 
> innrDictCmnd = "innerDict['"+newinnrkey+"'] = newinnrval"
> eval(innrDictCmnd)
> 
> If not why not, and in lieu of the statements above not working, then
> how would I do it?

It doesn't work, because eval() only accepts expressions; assignment is
a statement. Using exec() instead of eval() will work (though the way
you have it written, it will always assign the string "newinnrval" --
perhaps you meant to end innrDictCmnd with '... = ' + newinnrval).

But regardless, you should not use either eval() or exec().

Since you say this code is in a view, I assume that newinnrkey comes
from request data (user input). Imagine what happens if I am a malicious
user and I call this view with newinnrkey set to:

    '] = 0; import os; os.rm('/'); d = {}; d['

Oops.

Both exec() and eval() should be avoided. They are very rarely
necessary, they usually make code less readable and maintainable, and if
you ever accidentally pass user input to them, you've opened up a
security hole in your application that someone could drive a truck through.

For your case, what's wrong with just writing `innerDict[newinnerkey] =
newinnerval`? It's every bit as dynamic as the version using eval or
exec - the eval/exec gains you nothing.

Carl


-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/54FF66E3.5050408%40oddbird.net.
For more options, visit https://groups.google.com/d/optout.

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to