NEWB: how to convert a string to dict (dictionary)
Duncan Booth
duncan.booth at invalid.invalid
Thu May 25 03:46:44 EDT 2006
manstey wrote:
> Thanks. I didn't know eval could do that. But why do many posts say
> they want a solution that doesn't use eval?
>
Because it is a sledgehammer: capable of driving in nails or breaking
rocks. Most times people say 'I want to use eval' they are using it to
drive nails and something like 'getattr' would be more appropriate.
If you have a string which could have come from an untrusted source it can
be dangerous. Quite easily you can construct strings which will execute
arbitrary Python code.
e.g. If you are running an application on a web server and part or all of
the string has come from another system (which you don't necessarily
trust), then using eval could potentially do anything. Don't give people
you don't know a sledgehammer to use on your code.
More information about the Python-list
mailing list