On Mon, Feb 8, 2010 at 5:51 PM, Steven D'Aprano < ste...@remove.this.cybersource.com.au> wrote:
> On Mon, 08 Feb 2010 14:43:46 -0800, Aahz wrote: > > >>> WARNING: eval() is almost always the wrong answer to any question > >> > >>warning : it works ! > > > > Works for what? > > Code injection security bugs, of course. > > http://en.wikipedia.org/wiki/Code_injection > > It is surprisingly difficult to sanitize strings in Python to make them > safe to pass to eval. Unless you are prepared to trust the input data > explicitly, it's best to just avoid eval. > I'd make it a bit stronger: unless you are prepared to trust the input data explicitly, and forever-- and extending that trust to whomever might in the future be hired to work along, beside, under, or instead of you-- including the fact that they may use your system or code in a different or new way to get the data-- or how you may in the future decide to grow your system in ways you're not today prepared for and are committed to do a complete review of your entire codebase on every such change to ensure you don't leak some potentially bad data down into such a place-- then you can use eval. Otherwise, other solutions are better. --S
-- http://mail.python.org/mailman/listinfo/python-list
