Eval (was Re: Question about using python as a scripting language)
Simon Forman
rogue_pedro at yahoo.com
Wed Aug 9 17:12:01 EDT 2006
Chris Lambacher wrote:
> On Wed, Aug 09, 2006 at 11:51:19AM -0400, Brendon Towle wrote:
> > On 9 Aug 2006, at 11:04 AM, Chris Lambacher wrote:
> >
> > How is your data stored? (site was not loading for me).
> >
> > In the original source HTML, it's like this (I've deleted all but the
> > beginning and the end of the list for clarity):
> > var table_body = [
> > ["ATVI", "Activision, Inc.",12.75,0.150000,1.19,2013762,0.04,"N","N"]
> > ,["YHOO", "Yahoo! Inc.",27.7,0.260000,0.95,6348884,0.21,"N","N"]
> > ];
> I didn't realize it was javascript syntax, a json implimentation would
> probably work for you: http://cheeseshop.python.org/pypi/simplejson
>
> >
> > More sophisiticated situations (like nested lists) may require something
> > like pyparsing.
> >
> > I could do that, or I could do something like the re.* trick mentioned by
> > another poster. But, doesn't it offend anyone else that the only clean way
> > to access functionality that's already in Python is to write long
> > complicated Python code? Python already knows how to extract a list object
> > from a string; why should I have to rewrite that?
> I don't disagree with you. The problem is that the obvious way to do it
> (eval) is a big security hole. In this case you are trusting that no one
> inserts themselves between you and the website providing you with code to
> EXECUTE. I have heard of people attempting to use the parser provided with
> python and examining the AST to do this, but I think that approach is even
> more complicated.
> > B.
> >
> > On Wed, Aug 09, 2006 at 10:23:49AM -0400, Brendon Towle wrote:
> >
> > Slawomir Nowaczyk noted:
> > #> Heck, whenever *is* it OK to use eval() then?
> > eval is like optimisation. There are two rules:
> > Rule 1: Do not use it.
> > Rule 2 (for experts only): Do not use it (yet).
> > So, that brings up a question I have. I have some code that goes
> > out to a
> > website, grabs stock data, and sends out some reports based on the
> > data.
> > Turns out that the website in question stores its data in the
> > format of a
> > Python list
> > ([1][1]http://quotes.nasdaq.com/quote.dll?page=nasdaq100, search
> > the source for "var table_body"). So, the part of my code that
> > extracts
> > the data looks something like this:
> > START_MARKER = 'var table_body = '
> > END_MARKER = '];'
> > def extractStockData(data):
> > pos1 = data.find(START_MARKER)
> > pos2 = data.find(END_MARKER, pos1)
> > return eval(data[pos1+len(START_MARKER):END_MARKER])
> > (I may have an off-by-one error in there somewhere -- this is from
> > memory,
> > and the code actually works.)
> > My question is: what's the safe way to do this?
> > B.
> > --
> > Brendon Towle, PhD
> > Cognitive Scientist
> > +1-412-690-2442x127
> > Carnegie Learning, Inc.
> > The Cognitive Tutor Company ®
> > Helping over 375,000 students in 1000 school districts succeed in
> > math.
> > References
> > Visible links
> > 1. [2]http://quotes.nasdaq.com/quote.dll?page=nasdaq100
> >
> > --
> > [3]http://mail.python.org/mailman/listinfo/python-list
> >
> > --
> > Brendon Towle, PhD
> > Cognitive Scientist
> > +1-412-690-2442x127
> > Carnegie Learning, Inc.
> > The Cognitive Tutor Company ®
> > Helping over 375,000 students in 1000 school districts succeed in math.
> >
> > References
> >
> > Visible links
> > 1. http://quotes.nasdaq.com/quote.dll?page=nasdaq100
> > 2. http://quotes.nasdaq.com/quote.dll?page=nasdaq100
> > 3. http://mail.python.org/mailman/listinfo/python-list
Fredrik Lundh posted a great piece of code to parse a subset of python
safely:
http://groups.google.ca/group/comp.lang.python/browse_frm/thread/8e427c5e6da35c/a34397ba74892b4e
Peace,
~Simon
More information about the Python-list
mailing list