467,080 Members | 894 Online
Bytes | Developer Community
Ask Question

Home New Posts Topics Members FAQ

Post your question to a community of 467,080 developers. It's quick & easy.

Re: eval() == evil? --- How to use it safely?

On Thu, 28 Aug 2008 14:51:57 -0700 (PDT), Fett <fe********@gmail.comwrote:
>I am creating a program that requires some data that must be kept up
to date. What I plan is to put this data up on a web-site then have
the program periodically pull the data off the web-site.

My problem is that when I pull the data (currently stored as a
dictionary on the site) off the site, it is a string, I can use eval()
to make that string into a dictionary, and everything is great.
However, this means that I am using eval() on some string on a web-
site, which seems pretty un-safe.

I read that by using eval(code,{"__builtins__":None},{}) I can prevent
them from using pretty much anything, and my nested dictionary of
strings is still allowable. What I want to know is:

What are the dangers of eval?
- I originally was using exec() but switched to eval() because I
didn't want some hacker to be able to delete/steal files off my
clients computers. I assume this is not an issue with eval(), since
eval wont execute commands.
- What exactly can someone do by modifying my code string in a command
like: thing = eval(code{"__builtins__":None},{}), anything other than
assign their own values to the object thing?
eval and exec are the same. Don't use either with strings from a web page.
Try using a simple format for you data, such as CSV.

Jean-Paul
Aug 28 '08 #1
  • viewed: 793
Share:

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

33 posts views Thread by Stuart | last post: by
7 posts views Thread by Reply Via Newsgroup | last post: by
9 posts views Thread by Jim Washington | last post: by
4 posts views Thread by sunnyboy@europe.com | last post: by
15 posts views Thread by manstey | last post: by
2 posts views Thread by emmettnicholas@gmail.com | last post: by
16 posts views Thread by Fett | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.