Eval (was Re: Question about the use of python as a scripting language)
Brendon Towle
btowle at carnegielearning.com
Thu Aug 10 11:09:44 EDT 2006
On 10 Aug 2006, at 10:46 AM, skip at pobox.com wrote:
>
> Brendon> A shortcut occurs to me; maybe someone can tell me
> what's wrong
> Brendon> with my reasoning here. It seems that any string that
> is unsafe
> Brendon> to pass to eval() must involve a function call, and
> thus must
> Brendon> contain an opening paren. Given that I know that the
> data I
> Brendon> expect contains no parens, would people expect this
> code to be
> Brendon> safe:
>
> Unfortunately, no. If I define a class which has properties,
> attribute
> assignment can involve arbitrary numbers of function calls.
>
Oh yeah -- forgot about that. Thanks.
But, how could you get that class into my eval() call? Unless I'm
missing something (entirely possible -- as we've seen above, I
already did), it seems that you have only two options:
1. Get the code containing the class on my local machine, and import
the class -- in this case, I'm screwed long before I call eval().
2. Include it in the page I downloaded -- in this case, the function
calls will be part of the string, and the data.pos('(') call will
find them.
Am I missing a third option?
B.
--
Brendon Towle, PhD
Cognitive Scientist
+1-412-690-2442x127
Carnegie Learning, Inc.
The Cognitive Tutor Company ®
Helping over 375,000 students in 1000 school districts succeed in math.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20060810/cf3fb00f/attachment.html>
More information about the Python-list
mailing list