[Tutor] Exec? [was comparative code questions]
Tim Johnson
tim@johnsons-web.com
Tue Jan 14 23:16:02 2003
* Danny Yoo <dyoo@hkn.eecs.berkeley.edu> [030114 18:55]:
<..> > I'm looking at page 456 in "The Python Cookbook"
> > I quote as follows:
> >
> > "The exec statement is a last-ditch measure, to be used only
> > when nothing else is available (which is basically never)"
<...>
> eval() and exec() allow us to evaluation arbitrary strings as Python
> programs. This is a powerful feature, but dangerous if we consider that
> many strings come from the outside world. Think of the security fiascos
> with Microsoft Outlook, and that's the general idea of the problem: eval()
> is very exploitable.
>
>
> In simple programs for our own use, it's probably acceptable to use
> eval(). But for programs that are meant for outside use, eval() is often
> not a good idea because it's all too easy not to protect it from outside
> subversion.
Aha! Transformational programming (using a scheme term), best use of of
'exec' and 'eval' may be to be used in adhoc code generation rather
than 'on the fly evaluation'.
Thanks Danny - for the "Dive into Mark" article as well.
--
Tim Johnson <tim@johnsons-web.com>
http://www.alaska-internet-solutions.com
http://www.johnsons-web.com