Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Python > RE: Question about using python as a scripting language

Reply
Thread Tools

RE: Question about using python as a scripting language

 
 
Delaney, Timothy (Tim)
Guest
Posts: n/a
 
      08-07-2006
Steve Lianoglou wrote:

> One thing you could do is use the eval or compile methods. These
> functions let you run arbitray code passed into them as a string.
>
> So, for instance, you can write:
> my_list = eval('[1,2,3,4]')


This is just asking for trouble.

my_list = eval('import shutil; shutil.rmtree('/')')

Terry's approach is much better. Another alternative is to create a
dictionary mapping an action name to a function. Basically the same as
Terry's solution, but the dictionary lookup is explicit (as opposed to
being hidden as method names).

Tim Delaney
 
Reply With Quote
 
 
 
 
Steve Lianoglou
Guest
Posts: n/a
 
      08-07-2006
Delaney, Timothy (Tim) wrote:
> This is just asking for trouble.
>
> my_list = eval('import shutil; shutil.rmtree('/')')


Hah .. wow.

And in related news: you still shouldn't be taking candy from
strangers.

Point well taken. Thanks for flagging that one.

-steve

 
Reply With Quote
 
 
 
 
Wildemar Wildenburger
Guest
Posts: n/a
 
      08-08-2006
Steve Lianoglou wrote:
> Delaney, Timothy (Tim) wrote:
>> This is just asking for trouble.
>>
>> my_list = eval('import shutil; shutil.rmtree('/')')

>
> Hah .. wow.
>
> And in related news: you still shouldn't be taking candy from
> strangers.
>
> Point well taken. Thanks for flagging that one.


Heck, whenever *is* it OK to use eval() then?

?-\
wildemar


 
Reply With Quote
 
Slawomir Nowaczyk
Guest
Posts: n/a
 
      08-09-2006
On Tue, 08 Aug 2006 14:32:32 +0200
Wildemar Wildenburger <(E-Mail Removed)> wrote:

#> Steve Lianoglou wrote:
#> > Delaney, Timothy (Tim) wrote:
#> >> This is just asking for trouble.
#> >>
#> >> my_list = eval('import shutil; shutil.rmtree('/')')
#> >
#> > Hah .. wow.
#> >
#> > And in related news: you still shouldn't be taking candy from
#> > strangers.
#> >
#> > Point well taken. Thanks for flagging that one.
#>
#> Heck, whenever *is* it OK to use eval() then?

eval is like optimisation. There are two rules:

Rule 1: Do not use it.
Rule 2 (for experts only): Do not use it (yet).



--
Best wishes,
Slawomir Nowaczyk
( http://www.velocityreviews.com/forums/(E-Mail Removed) )

The good people sleep much better at night than the bad people. Of course,
the bad people enjoy the waking hours much more.

 
Reply With Quote
 
skip@pobox.com
Guest
Posts: n/a
 
      08-09-2006

Wildemar> Heck, whenever *is* it OK to use eval() then?

When you're sure of the validity of the string you are feeding it.
Unfortunately, the more you know about the string (and thus how valid it is
in your current context), the less you need eval. For example, if I know a
string s only contains digits and I want an integer out of the result, I can
avoid eval() by calling int(s). Even if I don't know for sure that it's a
string of digits I'm still better off calling int() and trapping any
exceptions:

try:
n = int(s)
except ValueError:
print "hmmm...", repr(s), "doesn't look like an integer to me."

Skip
 
Reply With Quote
 
Carl Banks
Guest
Posts: n/a
 
      08-09-2006
Wildemar Wildenburger wrote:
> Steve Lianoglou wrote:
> > Delaney, Timothy (Tim) wrote:
> >> This is just asking for trouble.
> >>
> >> my_list = eval('import shutil; shutil.rmtree('/')')

> >
> > Hah .. wow.
> >
> > And in related news: you still shouldn't be taking candy from
> > strangers.
> >
> > Point well taken. Thanks for flagging that one.

>
> Heck, whenever *is* it OK to use eval() then?


1. When you deliberately want to give the user power to run Python
code. (For example, I've written an HTML generator--who hasn't--that
uses eval and exec to expand in-line Python code. Perfectly ok as long
as you don't let untrusted users run the program.)

2. When you construct Python code within your program using no
untrusted data


Carl Banks

 
Reply With Quote
 
Carl Banks
Guest
Posts: n/a
 
      08-09-2006

Delaney, Timothy (Tim) wrote:
> Steve Lianoglou wrote:
>
> > One thing you could do is use the eval or compile methods. These
> > functions let you run arbitray code passed into them as a string.
> >
> > So, for instance, you can write:
> > my_list = eval('[1,2,3,4]')

>
> This is just asking for trouble.
>
> my_list = eval('import shutil; shutil.rmtree('/')')


Fortunately, that won't work because eval expects an expression.
Unfortunately, this will:

my_list = eval('__import__("shutil").rmtree("/")')


Carl Banks

 
Reply With Quote
 
Wildemar Wildenburger
Guest
Posts: n/a
 
      08-10-2006
Carl Banks wrote:
> Wildemar Wildenburger wrote:
>> Heck, whenever *is* it OK to use eval() then?

>
> 2. When you construct Python code within your program using no
> untrusted data


Ok, I had never even thought of that. Makes me itch to try it right now .

wildemar
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: Eval (was Re: Question about using python as a scripting language) Chris Lambacher Python 2 08-09-2006 09:12 PM
Question about using python as a scripting language heavydada Python 3 08-07-2006 08:46 AM
Using a Scripting Language as Your Scripting Language DaveInSidney Python 0 05-09-2005 03:13 AM
limited python virtual machine (WAS: Another scripting language implementedinto Python itself?) Steven Bethard Python 29 01-30-2005 08:30 PM
Python is the best and most popular general purpose scripting language; the universal scripting language Ron Stephens Python 23 04-12-2004 05:32 PM



Advertisments