[Tutor] Turning a string into a tuple? (Without eval?)

Andrei Kulakov ak@silmarill.org
Fri, 28 Sep 2001 19:27:37 -0400


On Fri, Sep 28, 2001 at 04:24:39PM -0700, Kirby Urner wrote:
> 
> Very impressive Blake!
> 
> But does it handle:
> 
> [why did it cut off before, will it do so again...?]
> 
> =====
> 
>   >>> f = lambda x: x*x
>   >>> qlist = "[f]"
>   >>> eval(qlist)
>   [<function <lambda> at 00B2C61C>]
> 
> =====
> 
> ?  :-D
> 
> I think eval(x) isn't so bad if its arg isn't wholly
> left up to some remote user via cgi or something (cite
> Danny's comments).  That'd be sloppy programming style.
> 
> But eval() can be insulated, and many (most) programs
> don't have anything to do with remote users with a
> malicious bent (including ones you download).
> 
> All worthy interpreted languages have something similar,
> no?
> 
> Kirby

Yeah, I would even go as far as saying that this isn't about eval per se
but about accepting untrusted user input. You just have to look at what
your program does with this input, and it may be eval or just argument to
os.system, and so you check the input for illegal contents.


[snip]

- Andrei 

-- 
Cymbaline: intelligent learning mp3 player - python, linux, console.
get it at: cy.silmarill.org