Eval (was Re: Question about the use of python as a scripting language)

[Brendon Towle]

On 10 Aug 2006, at 10:46 AM, skip at pobox.com wrote:

>
>     Brendon> A shortcut occurs to me; maybe someone can tell me  
> what's wrong
>     Brendon> with my reasoning here. It seems that any string that  
> is unsafe
>     Brendon> to pass to eval() must involve a function call, and  
> thus must
>     Brendon> contain an opening paren. Given that I know that the  
> data I
>     Brendon> expect contains no parens, would people expect this  
> code to be
>     Brendon> safe:
>
> Unfortunately, no.  If I define a class which has properties,  
> attribute
> assignment can involve arbitrary numbers of function calls.
>

Oh yeah -- forgot about that. Thanks.

But, how could you get that class into my eval() call? Unless I'm  
missing something (entirely possible -- as we've seen above, I  
already did), it seems that you have only two options:

1. Get the code containing the class on my local machine, and import  
the class -- in this case, I'm screwed long before I call eval().
2. Include it in the page I downloaded -- in this case, the function  
calls will be part of the string, and the data.pos('(') call will  
find them.

Am I missing a third option?

B.

-- 
Brendon Towle, PhD
Cognitive Scientist
+1-412-690-2442x127
Carnegie Learning, Inc.
The Cognitive Tutor Company ®
Helping over 375,000 students in 1000 school districts succeed in math.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20060810/cf3fb00f/attachment.html>