Suggestions for good programming practices?

brueckd at tbye.com brueckd at tbye.com
Tue Jun 25 20:52:50 CEST 2002


On 25 Jun 2002, Donn Cave wrote:

> | So... rather than teaching "avoid W!", let's say "be careful with W 
> | because of X, Y, and Z". I still wouldn't use eval/exec on code posted 
> | through a web form, for example, but there are times when they are very 
> | useful and I can use them in good confidence because I understand their 
> | risks.
> 
> But you weren't going to be deterred by that pronouncement anyway.
> 
> "Avoid exec, execfile, eval, and input" is good advice.  Taken at face
> value, it doesn't necessarily absolutely prohibit their use - if I said
> "avoid walking in the road", you could reasonably reasonably assume I'm
> saying something like "walk on the sidewalk when possible".

If you mean the latter, say the latter. Neither newbies nor veterans have 
to do any reading between the lines. Even better, say "walk on the 
sidewalk when possible because ___".

> Someone whose software engineering skills have been honed by years
> of wrestling with ugly code monsters will apply a different perspective
> to that advice.  A 1-week newbie could do worse than to follow that
> advice religiously.

I understand your point, but the OP is new to Python, not programming.  
This isn't a big deal; I was simply pointing out that just saying "don't
use those!" (Why? Are they broken? Deprecated? What?) isn't as helpful as
explaining the risks.

In the specific case of exec/eval, people are quick to strike them down,
often citing the untrusted input example (what about os.system, .fork,
etc.?), but that's a pretty narrow and uncommon usage scenario. When I
first learned Python I used them in some of the "forbidden" ways because I
hadn't learned getattr/setattr yet. So what? My programs worked fine (a
little slow) and later I learned better ways and now use those instead.

If a person is new to programming altogether then what kind of a teacher
will draw attention to exec/eval in the first place anyway? Besides, the
people who understand the potential for problems with something tend to be
the ones that don't mishandle it (whether it be streets, guns, or Python
functions).

-Dave






More information about the Python-list mailing list