Converting hex string to an integer

Michael Hudson mwh at python.net
Fri Aug 27 14:20:03 CEST 2004


Peter Hansen <peter at engcorp.com> writes:

> Rick Holbert wrote:
> > Derek Fountain wrote:
> >>Given the character string "0x00A1B2C3" arriving at sys.argv[1] how do I
> >>convert that to an integer which I can do some math on?
> > i = eval(sys.argv[1])
> 
> That's dangerous advice to a newbie if not qualified carefully.
> 
> Derek, "eval" could be the source of serious security problems
> if you don't understand its power.  Specifically it should
> almost never be used for input that comes from a user or
> via the command line.  There is pretty much always another
> and much better way to do the simple stuff like conversions
> than to use eval.
> 
> For example, imagine if a malicious could feed your program this:
> 
> (on the Linux command line)
> 
>    $ myscript "__import_('os').system('rm -rf /')"

Well, in this situation, he could just type

$ rm -rf /

But, yes.

Cheers,
mwh

-- 
  I'm not particularly fond of singing GSTQ because she stands for
  some things I don't, but it's not really worth letting politics
  getting in the way of a good bawling.     -- Dan Sheppard, ucam.chat



More information about the Python-list mailing list