On 20/07/12 11:31, Ross Wilson wrote:
But what is the difference if I write incorrect code and *execute* it or write an the same code in a string and *eval()* it. The result is the same whether eval() is used or not. Same result, same risk.
No, a much bigger risk because you can manipulate your strings at run time before eval()ing them.
The potential exists to modify your string in an unexpected way (via buggy code or buggy input data) that results in a dangerous command set being executed, even if not intended. You can't do that in plain code unless you are writing self modifying code - and that's even more dangerous than using eval()!
I don;t want to exaggerate the risk, it is a lot lower than allowing anyone to type in potentially malicious code but it is still a whole level more dangerous than typing in explicit code and executing it in the interpreter. It's important not to forget that it's not just stranger's strings that can cause problems in eval()/exec().
-- Alan G Author of the Learn to Program web site http://www.alan-g.me.uk/ _______________________________________________ Tutor maillist - Tutor@python.org To unsubscribe or change subscription options: http://mail.python.org/mailman/listinfo/tutor
