Convert String to Dictionary question
Jeff Shannon
jeff at ccvcorp.com
Fri Feb 15 13:48:27 EST 2002
Jacek Generowicz wrote:
> Jeff Shannon <jeff at ccvcorp.com> writes:
>
> > This works, but is generally a Bad Idea(tm). The problem
> > with eval/exec on arbitrary strings (and any string you read
> > in from a file is arbitrary) is that it's hard to be
> > positive that what you're eval/exec-ing is what you expect.
> > And if it's *not*, then many, many very bad things can
> > happen. (Imagine someone "accidentally" replacing that
> > textfile with one that contains the line "import
> > os;os.system('rm -s /')" -- suddenly your entire filesystem
> > is blank....)
>
> Writing python scripts works but is generally a Bad Idea(tm).
>
> Imagine somone "accidentally" replacing the textfile containing your
> script with one that contains the line "import os;os.system('rm -s
> /')" -- suddenly your entire filesystem is blank....)
Okay, so that particular example is not the best. ;) However, I've
seen people posting code that eval()'s interactive input, which *does*
provide all sorts of opportunity for bad things. The point is still
true, that exec and eval() are better avoided in 99.9% of situations;
they're emergency-use-only. (It's good to keep a fire extinguisher
around, but I wouldn't want to use it to put out a candle...)
Jeff Shannon
Technician/Programmer
Credit International
More information about the Python-list
mailing list