Dynamic comparison operators
Steven D'Aprano
steve+comp.lang.python at pearwood.info
Thu May 24 21:08:14 EDT 2012
On Thu, 24 May 2012 11:22:37 -0400, Colin J. Williams wrote:
> On 24/05/2012 10:14 AM, mlangenhoven at gmail.com wrote:
>> I would like to pass something like this into a function
>> test(val1,val2,'>=')
>>
>> and it should come back with True or False.
>>
>> Is there a way to dynamically compare 2 values like this or will I have
>> to code each operator individually?
>
> Would something like the following meet your need?
>
> Yes, it would be nice if there were a b.__name__ constant.
What is "a b.__name__ constant", and how will it be useful?
As for your solution using eval, please, please, PLEASE do not encourage
newbies to write slow, insecure, dangerous code. There are enough
security holes in software without you encouraging people to create more.
* eval is slow.
* eval is dangerous.
* eval is using a 200lb sledgehammer to crack a peanut.
Any time you find yourself thinking that you want to use eval to solve a
problem, take a long, cold shower until the urge goes away.
If you have to ask why eval is dangerous, then you don't know enough
about programming to use it safely. Scrub it out of your life until you
have learned about code injection attacks, data sanitation, trusted and
untrusted input. Then you can come back to eval and use it safely and
appropriately.
Today, your "test" function using eval is used only by yourself, at the
interactive interpreter. Tomorrow, it ends up in a web application, and
random hackers in China and script-kiddies in Bulgaria now have total
control of your server. Any time you hear about some piece of malware or
some virus infecting people's systems when they look at a PDF file,
chances are high that it is a code injection attack.
To learn more, you can start here:
http://cwe.mitre.org/top25/index.html
Two of the top three most common vulnerabilities are code injection
attacks, similar to the improper use of eval.
Here is the "eval injection" vulnerability:
http://cwe.mitre.org/data/definitions/95.html
Also google on "code injection" for many more examples.
--
Steven
More information about the Python-list
mailing list