[Tutor] eval use (directly by interpreter vs with in a script)

Danny Yoo dyoo at hashcollision.org
Sun Nov 2 22:49:54 CET 2014

Hi Alex,

Just as a side note, someone has probably already told you something
like this, but:  I would strongly recommend not to use Python's eval()
or exec().  Those language features are dangerous.  Every eval() or
exec() is a possible vector for injection attacks.  This week's
injection attack of the week appears to be Drupal:
https://www.drupal.org/PSA-2014-003, and it's certainly not going to
be the last, but why should we encourage this?

In the face of this, we have to admit to ourselves that these features
are hard to use.  Beginners should certainly give those features a
very wide berth.  I don't think it's crazy to say that community
wisdom is to strongly discourage dynamic code evaluation features
unless we have no other choice.

Are you just exploring the features of Python, or is there a
particular task you're trying to solve with eval or exec()?  Perhaps
you can accomplish the same goal in another way?

More information about the Tutor mailing list