use strings to call functions

Steven D'Aprano steven at REMOVE.THIS.cybersource.com.au
Tue Feb 9 02:51:01 CET 2010


On Mon, 08 Feb 2010 14:43:46 -0800, Aahz wrote:

>>> WARNING: eval() is almost always the wrong answer to any question
>>
>>warning : it works !
> 
> Works for what?

Code injection security bugs, of course.

http://en.wikipedia.org/wiki/Code_injection

It is surprisingly difficult to sanitize strings in Python to make them 
safe to pass to eval. Unless you are prepared to trust the input data 
explicitly, it's best to just avoid eval.



-- 
Steven



More information about the Python-list mailing list