[Tutor] Security [Was: Re: Decoding]
Alan Gauld
alan.gauld at btinternet.com
Mon Aug 13 20:26:27 CEST 2007
"bhaaluu" <bhaaluu at gmail.com> wrote
> Now for MY question: Besides eval(), are there other functions that
> should be 'red-flagged' as well?
Pretty much anything that can execute user entered code is
a potential security problem. The most common are probably:
eval()
exec()
execfile()
input()
All of these execute code one way or another and unless you
are absolutely sure that the code couldn't be malicious you
should avoid using them. In most cases thee are safer alternatives.
BTW All are fine for prototyping ideas, experimenting at the
>>> prompt etc and can save you some typing. But if you then
want to turn your idea into a script think about changing
these functions to something safer.
Also in databases using string substitution instead of the
DBAPI substitution can allow SQL injection attacks.
See my database topic in my tutor for more on that one.
Search for the heading: A Word about Security
I'm sure others will bring up other examples but these
are the ones we see most often on this list.
HTH,
Alan G.
More information about the Tutor
mailing list