RE: Question about ast.literal_eval
> To: email@example.com
> From: firstname.lastname@example.org
> Subject: Re: Question about ast.literal_eval
> Date: Mon, 20 May 2013 09:50:02 +0200
> [Corrected top-posting]
>>> To: email@example.com
>>> From: firstname.lastname@example.org
>>> Subject: Question about ast.literal_eval
>>> Date: Mon, 20 May 2013 09:05:48 +0200
>>> Hi all
>>> I am trying to emulate a SQL check constraint in Python. Quoting from
>>> the PostgreSQL docs, "A check constraint is the most generic constraint
>>> type. It allows you to specify that the value in a certain column must
>>> satisfy a Boolean (truth-value) expression."
>>> The problem is that I want to store the constraint as a string, and I
>>> was hoping to use ast.literal_eval to evaluate it, but it does not work.
> On 20/05/2013 09:34, Carlos Nepomuceno wrote:
>> It seems to me you can't use ast.literal_eval() to evaluate that kindof expression
>> because it's just for literals.
>> Why don't you use eval()?
> Because users can create their own columns, with their own constraints.
> Therefore the string is user-modifiable, so it cannot be trusted.
I understand your motivation but I don't know what protection ast.literal_eval() is offering that eval() doesn't.
Re: Question about ast.literal_eval
On Mon, 20 May 2013 10:55:35 +0300, Carlos Nepomuceno wrote:
> I understand your motivation but I don't know what protection
> ast.literal_eval() is offering that eval() doesn't.
eval will evaluate any legal Python expression:
py> eval("__import__('os').system('echo Mwahaha! Now you are pwned!') or 42")
Mwahaha! And now you are pwned!
ast.literal_eval() does exactly what the name says: it will evaluate any
legal Python LITERAL, including ints, floats, lists, dicts and strings,
but not arbitrary expressions.
py> ast.literal_eval('[123, None, "spam"]')
[123, None, 'spam']
|All times are GMT. The time now is 11:19 AM.|
Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.