Transforming a str to an operator

Stephen Hansen apt.shansen at gmail.com
Fri Aug 28 08:01:29 CEST 2009


>
> > I would use the following approach:
>
> Abviously the OP is a python baby noob and casting your irrational
> fear (and many others irrational fears) of eval at him is akin to
> tales of Chupacabras running a muck in the jungle sucking the blood
> from live goats in the twilight hours. I use eval all the time and
> quite love it.
>

Yes, the OP is clearly a newbie to the language and probably programming in
general, but that response is nonsense. It's a perfect example of a false
analogy. Chupacabras are superstition, baseless fear-mongering. eval() is a
very real dangerous construct. There is absolutely nothing irrational about
the unsafe nature of eval.

It is a tool: it is a useful tool if one knows how to use it, but is a tool
that you'll slam into your thumb and break it if you don't know how. When
there are tools available which address the same problem without those
dangers, newbies should be exposed to THOSE first.



> This is nothing more than a throw away academic exercise that will
> serve no useful purpose for him in the future, but serves the very
> useful purpose now of establishing an IO between the student and
> Python interpretor. I'll bet most your example (albeit a good example)
> flew miles above his head into la-la land.
>

I prefer not to assume newbies are stupid; if they don't understand a part
of a correct explanation that's given, they can ask for clarification and
further details can be given.

True, this is a very Python-specific "correct" example to this basic
problem, with dictionary dispatch which is a very Pythonic idiom that might
be a bit too much for a newbie to programming in general: if that's the
case, the correct thing to show the newbie would be:

if op == "+":
    print "The result is:", int(num1) + int(num2)
elif op == "-":
    print "The result is:", int(num1) - int(num2)

..etc.

Exposing newbies to eval() is simply irresponsible. It is not an irrational
fear: eval has a purpose and it is useful and it's fine to use, IF you
understand the language and implications enough to use it. If you don't, if
you're a newbie to programming entirely, it is good sense and a benefit to
the newbie to steer the person away from something that will get them in
trouble down the road. If they're not ready to deal with input sanitization,
that's fine... but exposing them to dangerous practices when there's clear
and logical alternate approaches is fool-hearty.

The OP has plenty of time to learn about malicious input and
> protecting against it, right now the fundamentals are well...
> fundamental :)


eval is simply NOT a fundamental. It should be considered an advanced
feature, for advanced usage; that it seems simple is all the more dangerous.
No one should be taught from an early stage that 'this is how to address a
problem', only to then teach them later, 'Oh, by the way, that thing I
taught you? It's bad in most cases and you shouldn't do it again'.

--S
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20090827/dff6be69/attachment.html>


More information about the Python-list mailing list