[Tutor] avoid eval how???

Danny Yoo dyoo at hkn.eecs.berkeley.edu
Thu Nov 3 20:38:58 CET 2005


> > I have a dynamic functions which created by some algorithms during
> > runtime. These functions are in string type. When I want to use it, I
> > can use eval command. But can someone give me more suggestion about
> > how to handle this problem, I want to avoid eval.
>
> Why avoid?  It seems the simplest way.

Hi Colin,

The problem is that an eval()-like is too powerful for most programmers to
use safely.  It's danger is not a Python-specific issue, but common to any
language that provides an eval() on arbitrary strings.

    http://en.wikipedia.org/wiki/Eval#Security_risks

This aversion to eval() isn't based on some theoretical worry; the PHP
folks got hit by exploits that targeted eval-using code just a few months
ago.  Read the "Security" section of:

    http://phpxmlrpc.sourceforge.net/#security

to see what kind of issues eval() brings when we use it.  They hit the
same conceptual problem three times before they finally got humble enough
to realize that eval() was the wrong tool.

We have to learn from their mistakes, or else we'll make them ourselves.
*grin*



More information about the Tutor mailing list