[Tutor] eval use (directly by interpreter vs with in a script)
beachkidken at gmail.com
Mon Nov 3 00:23:12 CET 2014
On 11/02/2014 04:49 PM, Danny Yoo wrote:
> Hi Alex,
> Just as a side note, someone has probably already told you something
> like this, but: I would strongly recommend not to use Python's eval()
> or exec(). Those language features are dangerous. Every eval() or
> exec() is a possible vector for injection attacks. This week's
> injection attack of the week appears to be Drupal:
> https://www.drupal.org/PSA-2014-003, and it's certainly not going to
> be the last, but why should we encourage this?
> In the face of this, we have to admit to ourselves that these features
> are hard to use. Beginners should certainly give those features a
> very wide berth. I don't think it's crazy to say that community
> wisdom is to strongly discourage dynamic code evaluation features
> unless we have no other choice.
> Are you just exploring the features of Python, or is there a
> particular task you're trying to solve with eval or exec()? Perhaps
> you can accomplish the same goal in another way?
> Tutor maillist - Tutor at python.org
> To unsubscribe or change subscription options:
I use exec to jump to another program within the
same directory, such as:
and let the program terminate there. Should I do
it differently or are you talking about a different
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Tutor