Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Python > Re: Question about ast.literal_eval

Thread Tools

Re: Question about ast.literal_eval

Frank Millman
Posts: n/a
On 20/05/2013 09:55, Carlos Nepomuceno wrote:
> ----------------------------------------
>>> Why don't you use eval()?

>> Because users can create their own columns, with their own constraints.
>> Therefore the string is user-modifiable, so it cannot be trusted.

> I understand your motivation but I don't know what protection ast.literal_eval() is offering that eval() doesn't.

Quoting from the manual -

"Safely evaluate an expression node or a string containing a Python
expression. The string or node provided may only consist of the
following Python literal structures: strings, bytes, numbers, tuples,
lists, dicts, sets, booleans, and None."

The operative word is 'safely'. I don't know the details, but it
prevents the kinds of exploits that can be carried out by malicious code
using eval().

I believe it is the same problem as SQL injection, which is solved by
using parameterised queries.


Reply With Quote

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
A question about float/clear fulio pen HTML 2 05-18-2013 01:37 AM
question about try/except blocks J Python 1 05-03-2013 03:02 AM
Re: question about try/except blocks Devin Jeanpierre Python 0 05-03-2013 02:23 AM
silly question about Running a script from the command line A.Rock Python 0 04-10-2013 11:21 AM
newbie question about confusing exception handling in urllib Python 6 04-09-2013 07:11 PM