[Tutor] avoid eval how???
Colin J. Williams
cjw at sympatico.ca
Fri Nov 4 01:30:48 CET 2005
Danny Yoo wrote:
>>>I have a dynamic functions which created by some algorithms during
>>>runtime. These functions are in string type. When I want to use it, I
>>>can use eval command. But can someone give me more suggestion about
>>>how to handle this problem, I want to avoid eval.
>>>
>>>
>>Why avoid? It seems the simplest way.
>>
>>
>
>Hi Colin,
>
>The problem is that an eval()-like is too powerful for most programmers to
>use safely. It's danger is not a Python-specific issue, but common to any
>language that provides an eval() on arbitrary strings.
>
> http://en.wikipedia.org/wiki/Eval#Security_risks
>
>This aversion to eval() isn't based on some theoretical worry; the PHP
>folks got hit by exploits that targeted eval-using code just a few months
>ago. Read the "Security" section of:
>
> http://phpxmlrpc.sourceforge.net/#security
>
>to see what kind of issues eval() brings when we use it. They hit the
>same conceptual problem three times before they finally got humble enough
>to realize that eval() was the wrong tool.
>
>We have to learn from their mistakes, or else we'll make them ourselves.
>*grin*
>
>
>
Danny,
You make some good points here but I suggest that, in the real world,
the risks are small.
You might consider using exec instead. It would appear that one can
specify a restricted environment in which the statement is executed.
Colin W.
More information about the Tutor
mailing list