Using eval, or something like it...
Steven D'Aprano
steve at REMOVE-THIS-cybersource.com.au
Thu Nov 20 22:56:29 EST 2008
On Thu, 20 Nov 2008 11:12:56 +1000, James Mills wrote:
> DON'T USE eval!
If you're going to make a sweeping generalization like that, at least
offer some alternatives, and explain why eval should be avoided.
Otherwise your advice is just cargo-cult programming.
eval is not inherently bad, it does have its uses. The timeit module, for
instance, uses eval. But in general, there are better, faster ways of
doing things than eval.
In my own testing, I find that eval('code') causes a serious speed hit:
it's about ten times slower than just executing code directly.
eval also is a security risk, if you can't trust the code you are passing
to it. You can *try* to mitigate those risks by filtering the string, and
by setting the globals and locals arguments to eval, but you can't
entirely remove the risk. The best way to remove the risk is to never use
eval on untrusted code.
--
Steven
More information about the Python-list
mailing list