Safe eval?

[Philipp Lenssen]

Is it possible to have a safe eval() on the server-side even when the string
consists of submitted user data?

Thanks.


I've been just discussing this in a PHP group, but now I want to port an
XML-based interpreter to Python too (see http://questml.com ), and the same
issues arise. Basically in PHP I didn't find a fail-safe solution; either
the configuration* is set to safe**, or it isn't, but lowering the
right-level for other scripts is not possible here***. Now, my current PHP
work-around is to replace certain characters and function names. That would
always be a solution in the end but it's not completely satisfying I think.

* on which most people like me don't have access on their hosted internet
server
** which would be globally OK for my needs, since I don't even want to write
to the file-system
*** it's possible in .NET from what I've seen.