Question about ast.literal_eval
Frank Millman
frank at chagford.com
Mon May 20 04:07:43 EDT 2013
On 20/05/2013 09:55, Chris Angelico wrote:
> On Mon, May 20, 2013 at 5:50 PM, Frank Millman <frank at chagford.com> wrote:
>> On 20/05/2013 09:34, Carlos Nepomuceno wrote:
>>> Why don't you use eval()?
>>>
>>
>> Because users can create their own columns, with their own constraints.
>> Therefore the string is user-modifiable, so it cannot be trusted.
>
> Plenty of reason right there :)
>
> Is it a requirement that they be able to key in a constraint as a
> single string? We have a similar situation in one of the systems at
> work, so we divided the input into three(ish) parts: pick a field,
> pick an operator (legal operators vary according to field type -
> integers can't be compared against regular expressions, timestamps can
> use >= and < only), then enter the other operand. Sure, that cuts out
> a few possibilities, but you get 99.9%+ of all usage and it's easy to
> sanitize.
>
> ChrisA
>
It is not a requirement, no. I just thought it would be a convenient
short-cut.
I had in mind something similar to your scheme above, so I guess I will
have to bite the bullet and implement it.
Thanks
Frank
More information about the Python-list
mailing list