Read any function in runtime

Matt McCredie mccredie at gmail.com
Mon Oct 26 17:25:19 CET 2009


Rhodri James <rhodri <at> wildebst.demon.co.uk> writes:

> 
> On Fri, 23 Oct 2009 17:39:40 +0100, Matt McCredie <mccredie <at> gmail.com>  
> wrote:
> 
> > joao abrantes <senhor.abrantes <at> gmail.com> writes:
> >
> >>
> >> Hey. I want to make a program like this:print "Complete the function
> > f(x)="then the user would enter x+2 or 1/x or any other function that  
> > only uses
> > the variable x. Then my python program would calculate f(x) in some  
> > points for
> > example in f(2),f(4).. etc . How can I do this?
> >>
> >
> > check out 'eval' or 'exec'.
> 
> Then check out all the reasons you shouldn't use them in an
> environment that you don't trust absolutely -- if someone wipes
> your hard disc, you won't get any sympathy from here.
> 
> The safe answer is to write yourself a small parser.  Given that
> you've got a very limited symbol set, that shouldn't be too hard.
> 

This should only be a concern if it is some sort of client/server app (like a
web-app). If this is something that is going to be run on a local machine then
the person running it could do just as much damage via the command line.

While I agree that there is a danger if the input might come from untrusted
users, and the original poster should be aware of that, writing your own parser
only makes sense in those instances. If this application is run locally then
users have access to the machine anyway.

I don't want to give a (potentially) new user to python the impression that they
need to be writing their own parser to solve this problem. It depends on where
the input is coming from. 

Two things to note: 
1. eval and exec are perfectly safe if the input is from a trusted source.
2. eval and exec are never safe if the input is not from a trusted source.

Matt McCredie





More information about the Python-list mailing list