eval vs. exec
Hans Nowak
wurmy at earthlink.net
Mon May 27 12:42:40 EDT 2002
Alexander Schmolck wrote:
> Of course using eval or exec is usually not a good idea, because it creates a
> huge security risk -- A better approach would be to parse the expression or at
> least make sure it only contains harmless things before you exec/eval it.
I don't know why this "security risk" comes up all the time...
security is only at stake if you execute or evaluate a string
from an unknown or untrusted source. Most of the time, this
will not be the case. If you use eval/exec with a string you
made yourself, there's no more risk than, say, importing a
module, or calling an object's method. (For some reason, I
don't hear people say, "don't use import, it's a security risk,
the module might have been magically changed and do something
unintended now".)
Whether use of exec and eval is _necessary_ or whether it's
good programming style is a different bowl of soup, of course.
--
Hans (base64.decodestring('d3VybXlAZWFydGhsaW5rLm5ldA=='))
# decode for email address ;-)
The Pythonic Quarter:: http://www.awaretek.com/nowak/
More information about the Python-list
mailing list