Why shouldn't you put config options in py files
malkarouri
malkarouri at gmail.com
Thu Dec 4 15:05:30 EST 2008
On 4 Dec, 19:35, HT <h... at example.com> wrote:
> A colleague of mine is arguing that since it is easy to write config like:
>
> FOO = {'bar': ('a': 'b'), 'abc': ('z': 'x')}
>
> in config.py and just import it to get FOO, but difficult to achieve the
> same using an ini file and ConfigParser, and since Python files are just
> text, we should just write the config options in the Python file and
> import it.
>
> I can think of lots of arguments why this is a bad idea, but I don't
> seem to be able to think of a really convincing one.
>
> Anyone?
Some people actually do that. IIRC, ipython is now configured using a
python module.
The idea, however, is dangerous from a security viewpoint. Because
anybody can edit his configuration .py file, you are in effect
injecting arbitrary code into your program. Think that your program
starts with raw_input() and then goes on the execute whatever you get.
Same problems with SQL injection for example.
So people prefer to have a much more controlled environment for
configuration. In particular, the idea of using json as Chris said
should become a best practice now we have the json module.
Regards,
Muhammad Alkarouri
More information about the Python-list
mailing list