eval() == evil? --- How to use it safely?

Fett FettManChu at gmail.com
Fri Aug 29 20:51:55 CEST 2008


> Your way of thinking is similar to Microsoft's. Encrypting and Signing
> is a kludge, a real fix should fix the underlying cause. Anyway using
> data parsers isn't that much harder than using eval/exec.

While I agree that in this situation I should do both, what would you
propose for cases where the data being sent is supposed to be
executable code:

I happen to know that for enterprise disk drives (like what Google
uses to store everything) the firmware is protected by exactly what I
describe. Since the firmware has to be able to run, the kind of fix
you propose is not possible. I would assume that if this kind of data
transfer was deemed poor, that Google and others would be demanding
something better (can you imagine if Google's database stopped working
because someone overwrote the firmware on their hard-drive?).

Again, I suppose that in this case writing a parser is a better option
(parsing a dict with strings by hand is faster than reading
documentation on someone else's parser anyway), but both is the best
option by far.

Again, thank you all for your help.



More information about the Python-list mailing list