use strings to call functions

Paul Rudin paul.nospam at rudin.co.uk
Tue Feb 9 08:29:33 CET 2010


Steven D'Aprano <steven at REMOVE.THIS.cybersource.com.au> writes:

> On Mon, 08 Feb 2010 14:43:46 -0800, Aahz wrote:
>
>>>> WARNING: eval() is almost always the wrong answer to any question
>>>
>>>warning : it works !
>> 
>> Works for what?
>
> Code injection security bugs, of course.
>
> http://en.wikipedia.org/wiki/Code_injection
>
> It is surprisingly difficult to sanitize strings in Python to make them 
> safe to pass to eval. Unless you are prepared to trust the input data 
> explicitly, it's best to just avoid eval.

Despite the fact that it's used in the standard library...



More information about the Python-list mailing list