need fast parser for comma/space delimited numbers

[Bernhard Herzog]

Moshe Zadka <moshez at math.huji.ac.il> writes:

> On 18 Mar 2000, Bernhard Herzog wrote:
> 
> <about eval>
> > It is, of yourse a gaping security hole unless you use rexec.
[...]
> Now, most Python programs (certainly most scientific Python programs) are
> not run as CGI's and the like, but rather by the user who wants them to 
> run. So, using eval/exec without rexec is perfectly allright from a
> security POV.

As long as you can trust the strings you eval or exec, this is indeed
not a security hole, so I should have perhaps qualified my statement
with something in that regard. Also, "potential" woule have been better
than "gaping".

However, as Andrew Dalke pointed out, its hard to foresee what your
program or even just parts of programs might be used for in the future.

> The only problem is that you're executing random Python code, which means
> you won't be able to understand bug-reports. But that's a reason to use
> eval/exec with the optional dictionaries, not for rexec.

Or perhaps a reason not to use eval but a more appropriate function that
does exactly what's necessary and nothing more. The posts in this
newsgroup seem to indicate that many people, mostly newbies AFAICT, use
eval when they should be using int, float, string.atoi, string.atof,
setattr, getattr or __import__.

There are situations when eval or exec is the appropriate thing to use
but anyone using them should be aware of the potential risks.

-- 
Bernhard Herzog   | Sketch, a drawing program for Unix
herzog at online.de  | http://sketch.sourceforge.net/