Eval (was Re: Question about using python as a scripting language)
Brendon Towle
btowle at carnegielearning.com
Wed Aug 9 12:47:14 EDT 2006
On 9 Aug 2006, at 12:03 PM, skip at pobox.com wrote:
>
> Brendon> I could do that, or I could do something like the re.*
> trick
> Brendon> mentioned by another poster. But, doesn't it offend
> anyone else
> Brendon> that the only clean way to access functionality that's
> already
> Brendon> in Python is to write long complicated Python code?
> Python
> Brendon> already knows how to extract a list object from a
> string; why
> Brendon> should I have to rewrite that?
>
> Doesn't bother me at all. One, it's not actually Python code, it's
> JavaScript. It's just serendipity that the table can be parsed as
> a Python
> list. Two, there's nothing to prevent the authors from changing the
> formatting in an incompatible way in the future.
I think that these are actually the same reason, and can be safely
ignored, because item 2 is true no matter what method I use to parse
the data. Sure, it's serendipity, but that happens to be the hand I'm
dealt at the moment; why not exploit the serendipity?
> Three, it's completely
> untrusted input and shouldn't be fed to eval().
This is the crucial point, and the reason I asked the question to
begin with.
Lisp (which I'm used to) has the read-eval-print loop; I think that
my confusion was because:
1. Python's eval(X) is essentially the same as Lisp's (eval (read-
from-string X)), not Lisp's (eval X) or Lisp's (read-from-string X);
2. The '[' character that begins a list should actually be read as a
function call, not a data delimiter. (Which, in the context of list
comprehensions, makes a lot of sense as I think about it.)
> Four, it's not actually
> complicated code (using the csv module would probably be simpler).
I'll look into the csv module.
And, it may not be complicated on an absolute scale, but Chris' re.*
method turned one line of code into about 15; that's certainly a non-
trivial increase in complexity.
> Five, you have to stop thinking of it a "list
> object". It's just a string of bytes which happens at this point
> in time to
> intersect with the definition of a Python list. You're trying to
> wish it
> was something that it's not.
I must be confused here. If I call the following function:
eval('[1, 2, 3]')
what does that function call return, if not a list object?
Sure, the string isn't a list object; it's a string of bytes that
happens to be syntactically identical to the definition of a list in
python code. I was hoping for a clean and safe way to exploit that
identical-ness; apparently, all the clean ways are unsafe, and all
the safe ways are unclean.
B.
--
Brendon Towle, PhD
Cognitive Scientist
+1-412-690-2442x127
Carnegie Learning, Inc.
The Cognitive Tutor Company ®
Helping over 375,000 students in 1000 school districts succeed in math.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20060809/d84f36a9/attachment.html>
More information about the Python-list
mailing list