[Tutor] pass tuples to user defined function(beginner)
Steven D'Aprano
steve at pearwood.info
Tue Nov 29 00:14:48 CET 2011
James Reynolds wrote:
> Alternatively, since you aren't actually passing a "tuple" but something
> that looks like a python tuple as a string, you could eval it:
Please don't give beginners terrible advice like this.
There are already too many programs vulnerable to code injection attacks
without us encouraging newbies to write more.
If anyone here doesn't know what a code injection attack is, and what it has
to do with eval and exec, then please do not write another line of code until
you have have learned.
> a = "('note',2048)"
> b = eval(a)
And then one day somebody finds a way of passing input like this to your web
server using that code:
"__import__('os').system('echo i got you now rm-rf')"
Say goodnight Gracie. I hope you have good backups.
--
Steven
More information about the Tutor
mailing list