eval() == evil? --- How to use it safely?
Bruno Desthuilliers
bruno.42.desthuilliers at websiteburo.invalid
Fri Aug 29 10:36:46 EDT 2008
Fett a écrit :
> On Aug 28, 7:57 pm, Paul Rubin <http://phr...@NOSPAM.invalid> wrote:
>
> So long story short: if I am expecting a dictionary of strings, I
> should make a parser that only accepts a dictionary of strings then.
or use an existing parser for an existing and documented format, as many
posters (including myself) already suggested.
> There is no safe way to use an existing construct.
Nothing coming from the outside world is safe.
> That is what I was afraid of. I know I will have to deal with the
> possibility of bad data, but considering my use (an acronym legend for
> a database), and the fact that the site I plan to use should be
> secure, these issues should be minimal.
If you feel like opening the door to any script-kiddie, then please
proceed. It's *your* computer, anyway...
Else, use a known format with a known working parser (xml, json, yaml,
csv, etc...), and possibly https if your data are to be protected.
More information about the Python-list
mailing list