Is this a safe use of eval?

Frank Millman frank at chagford.com
Thu Feb 24 09:48:39 CET 2011


Hi all

I know that the use of 'eval' is discouraged because of the dangers of 
executing untrusted code.

Here is a variation that seems safe to me, but I could be missing something.

I have a class, and the class has one or more methods which accept various 
arguments and return a result.

I want to accept a method name and arguments in string form, and 'eval' it 
to get the result.

Assume I have an instance called my_inst, and a method called 'calc_area', 
with arguments w and h.

I then receive my_string  = 'calc_area(100, 200)'.

>>> result = eval('my_inst.{0}'.format(my_string))

This will only work if the string contains a valid method name with valid 
arguments.

Can anyone see anything wrong with this?

Thanks

Frank Millman





More information about the Python-list mailing list