Question about ast.literal_eval
Chris Angelico
rosuav at gmail.com
Mon May 20 03:55:03 EDT 2013
On Mon, May 20, 2013 at 5:50 PM, Frank Millman <frank at chagford.com> wrote:
> On 20/05/2013 09:34, Carlos Nepomuceno wrote:
>> Why don't you use eval()?
>>
>
> Because users can create their own columns, with their own constraints.
> Therefore the string is user-modifiable, so it cannot be trusted.
Plenty of reason right there :)
Is it a requirement that they be able to key in a constraint as a
single string? We have a similar situation in one of the systems at
work, so we divided the input into three(ish) parts: pick a field,
pick an operator (legal operators vary according to field type -
integers can't be compared against regular expressions, timestamps can
use >= and < only), then enter the other operand. Sure, that cuts out
a few possibilities, but you get 99.9%+ of all usage and it's easy to
sanitize.
ChrisA
More information about the Python-list
mailing list