[Tutor] eval use (directly by interpreter vs with in a script)
Ken G.
beachkidken at gmail.com
Mon Nov 3 00:23:12 CET 2014
On 11/02/2014 04:49 PM, Danny Yoo wrote:
> Hi Alex,
>
> Just as a side note, someone has probably already told you something
> like this, but: I would strongly recommend not to use Python's eval()
> or exec(). Those language features are dangerous. Every eval() or
> exec() is a possible vector for injection attacks. This week's
> injection attack of the week appears to be Drupal:
> https://www.drupal.org/PSA-2014-003, and it's certainly not going to
> be the last, but why should we encourage this?
>
> In the face of this, we have to admit to ourselves that these features
> are hard to use. Beginners should certainly give those features a
> very wide berth. I don't think it's crazy to say that community
> wisdom is to strongly discourage dynamic code evaluation features
> unless we have no other choice.
>
> Are you just exploring the features of Python, or is there a
> particular task you're trying to solve with eval or exec()? Perhaps
> you can accomplish the same goal in another way?
> _______________________________________________
> Tutor maillist - Tutor at python.org
> To unsubscribe or change subscription options:
> https://mail.python.org/mailman/listinfo/tutor
>
I use exec to jump to another program within the
same directory, such as:
execfile("BloodPressure02Sorting.py")
and let the program terminate there. Should I do
it differently or are you talking about a different
horse?
Ken
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/tutor/attachments/20141102/052c9872/attachment.html>
More information about the Tutor
mailing list