get a list from a string
Steven D'Aprano
steve at REMOVE.THIS.cybersource.com.au
Thu Jun 7 08:39:41 EDT 2007
On Thu, 07 Jun 2007 11:06:54 +0000, simon kagwe wrote:
>> exec("distances = [[1,1,1,1],[2,2,2,2]]")
> Wow! So simple!
>
> Thanks a lot. :-)
Yes, and when you embed this in your web-application, using data gathered
from a web-form, the black-hat hackers will thank you for the security
hole too.
Surely a much better solution would be NOT to start with a string like
"distances = [[1,1,1,1],[2,2,2,2]]" in the first place? Where does that
string come from? If it comes from the user, at run-time, using exec is a
MAJOR security hole. If it comes from the source code, then WHY???
I wish exec and eval were hidden away in a module so they were harder (but
not impossible) to get to. Because I'm paranoid, I wish importing that
module would print an warning saying "Are you MAD??? Don't do this!!!". I
wish even more that Python would come with a built-in "make a list from a
list representation" function, but that at least is fairly easy to create:
you can modify
Here is a discussion about just how hard (that is, probably impossible) it
is to make eval safe:
http://effbot.org/zone/librarybook-core-eval.htm
More information about the Python-list
mailing list