On 5/27/07, EL AATIFI Sidi Mohamed <[EMAIL PROTECTED]> wrote: > > > > - The eval() technique suggested in another reply may work, but isn't > > really a good practice. eval() exists to make interactive prompts > > possible, not as a general programming technique. There is no > > protection on what eval() will do, so if an attacker can modify the > > string that is being eval()'d, they have complete access to your > > system. This is obviously very bad practice on a public-facing > > interface, like a web site. > > > I agree completely. > It should just be noted that in this case, there is no way to change the > expression passed to eval. Secondly getattr cannot in no case evaluate > an expression, or to reach a more deep fields.
This may be the case, but using eval() for general programming is an extraordinarily habit to get into, there is almost always an alternative approach, and it _definitely_ doesn't need to be used in this case. Yours, Russ Magee %-) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
