How do you set up a stack?

s713221 at student.gu.edu.au s713221 at student.gu.edu.au
Wed May 9 14:06:15 EDT 2001 

kosh wrote:
> 
> Umm. While this solution will work I think there are some things that need
> to be dealt with. Mainly you need to check f for items that should not be
> in there. eval will evaulatuate any valid piece of python code so the other
> things that can be done are large. This is a fairly large security risk at
> this point I think. At the very least I would check if it has any letter
> characters and if so not run then.

Eval will (should?) only evaluate legal pythonic numeric functions. This
actually covers quite a bit, but unless you define wierd class
structures that overwrite numerical operators to do non-numerical
operations, you shouldn't have to worry too much about using eval.

Simple maths.
>>> eval("1+2")
3

Math with complex numbers (Except "i" is replaced with "j" in python.
Ask the engineers why. *sighs*)
>>> eval("(1+2j)-3j")
(1-1j)

You can also import the math module and use these functions inside the
eval statement.
>>> import math
>>> eval("1+math.sqrt(2)")
2.4142135623730949

However, all of these are dealing with numbers. I'd be interested to see
if someone did have an example of a malicious eval use. (In fact I'd be
downright anxious to know of any eval security weaknesses. *grins*)

I try to eval a non-numerical statement.
>>> eval("print 'hello'")
Traceback (most recent call last):
  File "<stdin>", line 1, in ?
  File "<string>", line 1
    print 'hello'
        ^
SyntaxError: invalid syntax

Now I try a different statement that barfs on a different piece of
syntax.
>>> eval("if 1==1: print 'hello'")
Traceback (most recent call last):
  File "<stdin>", line 1, in ?
  File "<string>", line 1
    if 1==1: print 'hello'
     ^
SyntaxError: invalid syntax
>>>

In order to "evaluate" or execute a string as a command, rather than an
expression, the exec command has to be used. However, if you are really
paranoid, or would like to convert the following complex number
statements "1+32i" to correct python, "1+32j", look up the re module.

Anycase, have fun. You should have a great time with the language, and
with this newsgroup.

Joal Heagney/AncientHart

More information about the Python-list mailing list