How to convert a list of strings into a list of variables

Steven D'Aprano steve+comp.lang.python at
Fri Aug 19 03:42:24 CEST 2011

Chris Angelico wrote:

> On Thu, Aug 18, 2011 at 5:09 PM, John Gordon <gordon at> wrote:
>> for x in list_of_strings:
>> list_of_variables.append(eval(x))
> If this really is what you need, you can simplify it by using the
> globals() dictionary - it's a regular dictionary whose contents are
> all the global variables in your current module. Inside a function,
> use locals() instead.

You can use locals outside of a function too, because it just returns

Lookup of names in locals/globals is much safer than eval, particularly if
there is any risk that the list of names comes from an untrusted or 
potentially hostile source.

list_of_strings = ['red', 'blue', 
    '__import__("os").system("echo I just p0wned your system")',
    'green', 'yellow']

(The simplest way out of a billion to cause grief.)

Code injection attacks are the first and second most common form of security
vulnerability, ahead of even buffer overflows. Please don't add to the

(Oh, and if you think that protecting against code injection attacks while
still using eval or exec is simple, please step away from the keyboard.)


More information about the Python-list mailing list