[Tutor] executing a string representing python code
ALAN GAULD
alan.gauld at btinternet.com
Mon Mar 5 21:01:24 CET 2007
> That's neat. When just the function call is the string,
> eval() seems appropriate. (For example, if reading what
> function to call from a file.)
Its conventient but incredibly dangerous.
Its much better in that case to create a dictionary of allowed
(ie safe!) functions that can vbe read and then look that up
from the file input.
Otherwise anyone who can access the file (legitimately or
otherwise) can start calling any of the standard Python functions,
including os.unlink() to delete files, or even os.system(), to do
just about anything - howsabout formatting your disk?
ok_funks = {
'some_func' : some_func,
'another_func': another_func,
'some_fancy_name': sys.exit
}
func = raw_input('type a function name>')
try: ok_funks[func']()
except: print 'Thats not a valid function'
eval and exec are seductively powerful but they are immensely
dangerous in a world of crackers and virus makers. They should
only ever be used in strictly controlled scebnarios and even then
as a last resort.
HTH,
Alan G.
___________________________________________________________
What kind of emailer are you? Find out today - get a free analysis of your email personality. Take the quiz at the Yahoo! Mail Championship.
http://uk.rd.yahoo.com/evt=44106/*http://mail.yahoo.net/uk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.python.org/pipermail/tutor/attachments/20070305/dc22ba96/attachment.html
More information about the Tutor
mailing list