help me
Andrew Dalke
adalke at mindspring.com
Sat Oct 9 23:12:07 EDT 2004
dataangel:
> Why don't you want to use exec? Just curious. That's the normal way to
> get a string to python code as far as I know.
That's not the normal way. Where did you get that idea?
>>> exec raw_input("enter name: ")+' = 34'
enter name: import os; os.system("pwd && echo rm -rf /delete/any/file"); c
/Users/dalke/src
rm -rf /delete/any/file
>>>
In other words, without full vetting of the input it's
a hugh security hole.
If you want to set a global variable (why??) then use
the globals() dictionary.
>>> spam
Traceback (most recent call last):
File "<stdin>", line 1, in ?
NameError: name 'spam' is not defined
>>> globals()[raw_input("enter name: ")] = 34
enter name: spam
>>> spam
34
>>>
More than likely you should put the data into a
dictionary of its own. Otherwise, what happens
if someone assigns to the variable 'raw_input'?
>>> globals()[raw_input("enter name: ")] = 34
enter name: raw_input
>>> globals()[raw_input("enter name: ")] = 34
Traceback (most recent call last):
File "<stdin>", line 1, in ?
TypeError: 'int' object is not callable
>>>
Andrew
dalke at dalkescientific.com
More information about the Python-list
mailing list