[Tutor] eval and exec
kent37 at tds.net
Sun Dec 5 03:35:16 CET 2004
Marilyn Davis wrote:
> Thank you. You guys are great.
> I was trying to eval("import %s" % something).
> exec("import %s" % something) works just fine and now I understand why.
> But, why is this so extremely dangerous?
The danger is in exec'ing code whose source is not trusted.
Using exec to import a module or create a name in your own code is fine. Using exec to run code from
a untrusted source such as user input is opening yourself to any kind of mischief. For example you
wouldn't want to
exec("import os; os.system('del /f /q *')")
> Tutor maillist - Tutor at python.org
More information about the Tutor