[Tutor] exec, execfile, rexec

DS ds-python-tutor at sidorof.com
Tue Feb 14 19:14:25 CET 2006


I have been writing a web-based application in which users would be able
to input expressions which would be evaluated on the server.  I had read
about the dangers of using eval for such things, and so I parse the
expressions myself, and calculate the expressions using my own code. 
This wasn't too bad, because that gave me a chance to learn about
parsing expressions, AST, and other aspects of coding that I wasn't
particularly familiar with.  If that was all I needed to do, my code
seems adequate for this purpose. 

Now, I've been starting to think about adding multiline expressions, or
really, at this point, programs.  I don't think it would be all that bad
to implement some simple structure for doing that, but I can't help but
think that it  would make more sense to simply use Python directly.  Not
only is it already implemented, but I certainly like to use it, and it
might promote the use of Python just a bit more. 

Is this simply such a bad idea that I should not even consider it?  Is
there a way that I can limit usage by filtering all programs for
operating system calls, certain imports, maybe not allowing lambdas?  I
would hate to get compromised in some way that I don't understand.

Thanks for any guidance.

ds


More information about the Tutor mailing list