Alternatives to XML?
Frank Millman
frank at chagford.com
Thu Aug 25 02:11:47 EDT 2016
"Chris Angelico" wrote in message
news:CAPTjJmq2bcQPmQ9itVvZrBZJPcbYe5z6vDpKGYQj=8H+qKvXxQ at mail.gmail.com...
On Thu, Aug 25, 2016 at 3:33 PM, Frank Millman <frank at chagford.com> wrote:
> @Peter/Chris
> > I don't understand - please explain.
> >
> > If I store the business rule in Python code, how do I prevent untrusted
> > users putting malicious code in there? I presume I would have to execute
> > the
> > code by calling eval(), which we all know is dangerous. Is there another
> > way
> > of executing it that I am unaware of?
> The real question is: How malicious can your users be?
> If the XML file is stored adjacent to the Python script that runs it,
> anyone who can edit one can edit the other. Ultimately, that means that
> (a) any malicious user can simply edit the Python script, and therefore
> (b) anyone who's editing the other file is not malicious.
> If that's not how you're doing things, give some more details of what
> you're trying to do. How are you preventing changes to the Python script?
> How frequent will changes be? Can you simply put all changes through a git
> repository and use a pull request workflow to ensure that a minimum of two
> people eyeball every change?
All interaction with users is via a gui. The database contains tables that
define the database itself - tables, columns, form definitions, etc. These
are not purely descriptive, they drive the entire system. So if a user
modifies a definition, the changes are immediate.
Does that answer your question? I can go into a lot more detail, but I am
not sure where to draw the line.
Frank
More information about the Python-list
mailing list