[Tutor] Invalid Token Problem
Alan Gauld
alan.gauld at btinternet.com
Fri Jul 20 20:49:50 CEST 2012
On 20/07/12 11:31, Ross Wilson wrote:
> But what is the difference if I write incorrect code and *execute* it or
> write an the same code in a string and *eval()* it. The result is the
> same whether eval() is used or not. Same result, same risk.
No, a much bigger risk because you can manipulate your strings at run
time before eval()ing them.
The potential exists to modify your string in an unexpected way (via
buggy code or buggy input data) that results in a dangerous command
set being executed, even if not intended. You can't do that in plain
code unless you are writing self modifying code - and that's even more
dangerous than using eval()!
I don;t want to exaggerate the risk, it is a lot lower than allowing
anyone to type in potentially malicious code but it is still a whole
level more dangerous than typing in explicit code and executing it in
the interpreter. It's important not to forget that it's not just
stranger's strings that can cause problems in eval()/exec().
--
Alan G
Author of the Learn to Program web site
http://www.alan-g.me.uk/
More information about the Tutor
mailing list