matching a string to extract substrings for which some functionreturns true

[Amit Khemka]

Fredrik, thanks for your suggestion. Though the html page that are
generated are for internal uses and input is verified before
processing.

And more than just a solution in current context, actually I was a
more curious about how can one do so in Python.

cheers,
amit.

On 11/22/05, Fredrik Lundh <fredrik at pythonware.com> wrote:
> Amit Khemka wrote:
>
> > Well actually the problem is I have a list of tuples which i cast as
> > string and then put in a html page as the value of a hidden variable.
> > And when i get the string again, i want to cast it back as list of tuples:
> > ex:
> > input: "('foo', 1, 'foobar', (3, 0)), ('foo1', 2, 'foobar1', (3, 1)),
> > ('foo2', 2, 'foobar2', (3, 2))"
> > output: [('foo', 1, 'foobar', (3, 0)), ('foo1', 2, 'foobar1', (3, 1)),
> > ('foo2', 2, 'foobar2', (3, 2))]
> >
> > I hope that explains it better...
>
> what do you think happens if the user manipulates the field values
> so they contain, say
>
>     os.system('rm -rf /')
>
> or
>
>     "'*'*1000000*2*2*2*2*2*2*2*2*2"
>
> or something similar?
>
> if you cannot cache session data on the server side, I'd
> recommend inventing a custom record format, and doing your
> own parsing.  turning your data into e.g.
>
>     "foo:1:foobar:3:0+foo1:2:foobar1:3:1+foo2:2:foobar2:3:2"
>
> is trivial, and the resulting string can be trivially parsed by a couple
> of string splits and int() calls.
>
> to make things a little less obvious, and make it less likely that some
> character in your data causes problems for the HTML parser, you can
> use base64.encodestring on the result (this won't stop a hacker, of
> course, so you cannot put sensitive data in this field).
>
> </F>
>
>
>
> --
> http://mail.python.org/mailman/listinfo/python-list
>


--
----
Endless the world's turn, endless the sun's spinning
Endless the quest;
I turn again, back to my own beginning,
And here, find rest.