On Mon, 18 Jul 2005, Nathan Pinno wrote:
> I find it easier to remember and faster to code than int(raw_input()).
> The faster I can code a program, the better in my opinion. So what if it
> has a few bugs, I fix them gradually.
Hi Nathan
You're right, just as long as we're writing programs that are only meant
to be used by ourselves, and as long as we're sure that it's not talking
to the outside world. The driving issue behind getting paranoid is this:
it's getting much easier to write programs that we think might be just for
ourselves, but which become useful for others.
And as soon as we write programs that other people are going to use, we
really do have to play by a different set of rules than just ease of
programming. Some folks were casual about eval(), and look what happened
to them:
http://gulftech.org/?node=research&article_id=00088-07022005
They should have known better.
This problem is not exclusive to programmers in PHP: programmers in
Python make the same kind of mistakes. As a concrete example, take a look
at the comments about the deprecated "SimpleCookie" and "SerialCookie"
functions:
http://www.python.org/doc/lib/module-Cookie.html
Again, they should have known better. And we should know better.
So we do have a responsibility to state up front that using 'eval' (or
things that call 'eval' for us) is convenient, but it's not safe. That's
why we bug about it every so often.
Hope this helps!
_______________________________________________
Tutor maillist - Tutor@python.org
http://mail.python.org/mailman/listinfo/tutor
