What's so wrong about execfile?

John Nagle nagle at animats.com
Mon Mar 2 17:43:42 CET 2009


Carl Banks wrote:
> On Feb 27, 7:21 pm, Sammo <sammo2... at gmail.com> wrote:
>> Given that execfile has been removed in py3k, I want to understand
>> exactly why.
>>
>> Okay, I get that execfile is bad from the following thread:
>>
>> On Jul 29 2007, 2:39 pm, Steven D'Aprano
>>
>>
>>
>> <st... at REMOVE.THIS.cybersource.com.au> wrote:
>>> (1) Don't use eval, exec or execfile.
>>> (2) If you're an expert, don't use eval, exec or execfile.
>>> (3) If you're an expert, and are fully aware of the security risks, don't
>>> use eval, exec or execfile.
>>> (4) If you're an expert, and are fully aware of the security risks, and
>>> have a task that can only be solved by using eval, exec or execfile, find
>>> another solution.
>>> (5) If there really is no other solution, you haven't looked hard enough.
>>> (6) If you've looked REALLY hard, and can't find another solution, AND
>>> you're an expert and are fully aware of the security risks, THEN you can
>>> think about using eval, exec or execfile.
>> What are some of the reasons why execfile should not be used?
>>
>> What are some examples of cases where execfile is the correct way of
>> doing something?
> 
> 
> [For instance, the package I use to generate my web site uses exec and
> eval, because it processes templates with embedded Python code.  

    Now there's an example of exactly what exec and eval shouldn't be used for.

    You don't put general-purpose execution mechanisms into your web site
template system.  That's just asking for trouble.

				John Nagle



More information about the Python-list mailing list