Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Python > Re: Question about ast.literal_eval

Reply
Thread Tools

Re: Question about ast.literal_eval

 
 
Frank Millman
Guest
Posts: n/a
 
      05-20-2013
On 20/05/2013 09:55, Carlos Nepomuceno wrote:
> ----------------------------------------
>>>
>>> Why don't you use eval()?
>>>

>>
>> Because users can create their own columns, with their own constraints.
>> Therefore the string is user-modifiable, so it cannot be trusted.

>
> I understand your motivation but I don't know what protection ast.literal_eval() is offering that eval() doesn't.
>


Quoting from the manual -

"Safely evaluate an expression node or a string containing a Python
expression. The string or node provided may only consist of the
following Python literal structures: strings, bytes, numbers, tuples,
lists, dicts, sets, booleans, and None."

The operative word is 'safely'. I don't know the details, but it
prevents the kinds of exploits that can be carried out by malicious code
using eval().

I believe it is the same problem as SQL injection, which is solved by
using parameterised queries.

Frank


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
A question about float/clear fulio pen HTML 2 05-18-2013 01:37 AM
question about try/except blocks J Python 1 05-03-2013 03:02 AM
Re: question about try/except blocks Devin Jeanpierre Python 0 05-03-2013 02:23 AM
silly question about Running a script from the command line A.Rock Python 0 04-10-2013 11:21 AM
newbie question about confusing exception handling in urllib cabbar@gmail.com Python 6 04-09-2013 07:11 PM



Advertisments