Eval (was Re: Question about using python as a scripting language)
Chris Lambacher
chris at kateandchris.net
Wed Aug 9 12:34:06 EDT 2006
On Wed, Aug 09, 2006 at 11:51:19AM -0400, Brendon Towle wrote:
> On 9 Aug 2006, at 11:04 AM, Chris Lambacher wrote:
>
> How is your data stored? (site was not loading for me).
>
> In the original source HTML, it's like this (I've deleted all but the
> beginning and the end of the list for clarity):
> var table_body = [
> ["ATVI", "Activision, Inc.",12.75,0.150000,1.19,2013762,0.04,"N","N"]
> ,["YHOO", "Yahoo! Inc.",27.7,0.260000,0.95,6348884,0.21,"N","N"]
> ];
I didn't realize it was javascript syntax, a json implimentation would
probably work for you: http://cheeseshop.python.org/pypi/simplejson
>
> More sophisiticated situations (like nested lists) may require something
> like pyparsing.
>
> I could do that, or I could do something like the re.* trick mentioned by
> another poster. But, doesn't it offend anyone else that the only clean way
> to access functionality that's already in Python is to write long
> complicated Python code? Python already knows how to extract a list object
> from a string; why should I have to rewrite that?
I don't disagree with you. The problem is that the obvious way to do it
(eval) is a big security hole. In this case you are trusting that no one
inserts themselves between you and the website providing you with code to
EXECUTE. I have heard of people attempting to use the parser provided with
python and examining the AST to do this, but I think that approach is even
more complicated.
> B.
>
> On Wed, Aug 09, 2006 at 10:23:49AM -0400, Brendon Towle wrote:
>
> Slawomir Nowaczyk noted:
> #> Heck, whenever *is* it OK to use eval() then?
> eval is like optimisation. There are two rules:
> Rule 1: Do not use it.
> Rule 2 (for experts only): Do not use it (yet).
> So, that brings up a question I have. I have some code that goes
> out to a
> website, grabs stock data, and sends out some reports based on the
> data.
> Turns out that the website in question stores its data in the
> format of a
> Python list
> ([1][1]http://quotes.nasdaq.com/quote.dll?page=nasdaq100, search
> the source for "var table_body"). So, the part of my code that
> extracts
> the data looks something like this:
> START_MARKER = 'var table_body = '
> END_MARKER = '];'
> def extractStockData(data):
> pos1 = data.find(START_MARKER)
> pos2 = data.find(END_MARKER, pos1)
> return eval(data[pos1+len(START_MARKER):END_MARKER])
> (I may have an off-by-one error in there somewhere -- this is from
> memory,
> and the code actually works.)
> My question is: what's the safe way to do this?
> B.
> --
> Brendon Towle, PhD
> Cognitive Scientist
> +1-412-690-2442x127
> Carnegie Learning, Inc.
> The Cognitive Tutor Company ®
> Helping over 375,000 students in 1000 school districts succeed in
> math.
> References
> Visible links
> 1. [2]http://quotes.nasdaq.com/quote.dll?page=nasdaq100
>
> --
> [3]http://mail.python.org/mailman/listinfo/python-list
>
> --
> Brendon Towle, PhD
> Cognitive Scientist
> +1-412-690-2442x127
> Carnegie Learning, Inc.
> The Cognitive Tutor Company ®
> Helping over 375,000 students in 1000 school districts succeed in math.
>
> References
>
> Visible links
> 1. http://quotes.nasdaq.com/quote.dll?page=nasdaq100
> 2. http://quotes.nasdaq.com/quote.dll?page=nasdaq100
> 3. http://mail.python.org/mailman/listinfo/python-list
More information about the Python-list
mailing list