Question about using python as a scripting language
Carl Banks
pavlovevidence at gmail.com
Wed Aug 9 11:11:21 EDT 2006
Wildemar Wildenburger wrote:
> Steve Lianoglou wrote:
> > Delaney, Timothy (Tim) wrote:
> >> This is just asking for trouble.
> >>
> >> my_list = eval('import shutil; shutil.rmtree('/')')
> >
> > Hah .. wow.
> >
> > And in related news: you still shouldn't be taking candy from
> > strangers.
> >
> > Point well taken. Thanks for flagging that one.
>
> Heck, whenever *is* it OK to use eval() then?
1. When you deliberately want to give the user power to run Python
code. (For example, I've written an HTML generator--who hasn't--that
uses eval and exec to expand in-line Python code. Perfectly ok as long
as you don't let untrusted users run the program.)
2. When you construct Python code within your program using no
untrusted data
Carl Banks
More information about the Python-list
mailing list