Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Python (http://www.velocityreviews.com/forums/f43-python.html)
-   -   RE: Question about ast.literal_eval (http://www.velocityreviews.com/forums/t960809-re-question-about-ast-literal_eval.html)

Carlos Nepomuceno 05-20-2013 07:55 AM

RE: Question about ast.literal_eval
 
----------------------------------------
> To: python-list@python.org
> From: frank@chagford.com
> Subject: Re: Question about ast.literal_eval
> Date: Mon, 20 May 2013 09:50:02 +0200
>
> [Corrected top-posting]
>
>>> To: python-list@python.org
>>> From: frank@chagford.com
>>> Subject: Question about ast.literal_eval
>>> Date: Mon, 20 May 2013 09:05:48 +0200
>>>
>>> Hi all
>>>
>>> I am trying to emulate a SQL check constraint in Python. Quoting from
>>> the PostgreSQL docs, "A check constraint is the most generic constraint
>>> type. It allows you to specify that the value in a certain column must
>>> satisfy a Boolean (truth-value) expression."
>>>
>>> The problem is that I want to store the constraint as a string, and I
>>> was hoping to use ast.literal_eval to evaluate it, but it does not work.
>>>

>
> On 20/05/2013 09:34, Carlos Nepomuceno wrote:
>
>> It seems to me you can't use ast.literal_eval()[1] to evaluate that kindof expression
>> because it's just for literals[2].
>>
>> Why don't you use eval()?
>>

>
> Because users can create their own columns, with their own constraints.
> Therefore the string is user-modifiable, so it cannot be trusted.


I understand your motivation but I don't know what protection ast.literal_eval() is offering that eval() doesn't.

> Frank
>
>
> --
> http://mail.python.org/mailman/listinfo/python-list

Steven D'Aprano 05-20-2013 08:15 AM

Re: Question about ast.literal_eval
 
On Mon, 20 May 2013 10:55:35 +0300, Carlos Nepomuceno wrote:

> I understand your motivation but I don't know what protection
> ast.literal_eval() is offering that eval() doesn't.


eval will evaluate any legal Python expression:


py> eval("__import__('os').system('echo Mwahaha! Now you are pwned!') or 42")
Mwahaha! And now you are pwned!
42


ast.literal_eval() does exactly what the name says: it will evaluate any
legal Python LITERAL, including ints, floats, lists, dicts and strings,
but not arbitrary expressions.


py> ast.literal_eval('123')
123
py> ast.literal_eval('[123, None, "spam"]')
[123, None, 'spam']



--
Steven


All times are GMT. The time now is 11:19 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.