Convert String to Dictionary question
Brian Kelley
bkelley at wi.mit.edu
Fri Feb 15 13:40:07 EST 2002
Jeff Shannon wrote:
>
>
> This works, but is generally a Bad Idea(tm). The problem
> with eval/exec on arbitrary strings (and any string you read
> in from a file is arbitrary) is that it's hard to be
> positive that what you're eval/exec-ing is what you expect.
> And if it's *not*, then many, many very bad things can
> happen. (Imagine someone "accidentally" replacing that
> textfile with one that contains the line "import
> os;os.system('rm -s /')" -- suddenly your entire filesystem
> is blank....)
>
> If you want to store the contents of a dictionary on a
> permanent disk file, you should look at the Pickle and
> Shelve modules. If you're doing this a lot, or with lots of
> data, then try using one of the generic db modules (anydbm,
> bsddb, etc).
n.b. pickle and cPickle also use eval to convert representations of
string values into python strings so security is not a valid reason to
choose one over the other, yet...
Source forge bug entry:
http://sourceforge.net/tracker/?func=detail&atid=105470&aid=502503&group_id=5470
>
> Jeff Shannon
> Technician/Programmer
> Credit International
>
>
>
Brian Kelley
More information about the Python-list
mailing list