On Thu, 28 Aug 2008 14:51:57 -0700 (PDT), Fett <[EMAIL PROTECTED]> wrote:
I am creating a program that requires some data that must be kept up to date. What I plan is to put this data up on a web-site then have the program periodically pull the data off the web-site.My problem is that when I pull the data (currently stored as a dictionary on the site) off the site, it is a string, I can use eval() to make that string into a dictionary, and everything is great. However, this means that I am using eval() on some string on a web- site, which seems pretty un-safe. I read that by using eval(code,{"__builtins__":None},{}) I can prevent them from using pretty much anything, and my nested dictionary of strings is still allowable. What I want to know is: What are the dangers of eval? - I originally was using exec() but switched to eval() because I didn't want some hacker to be able to delete/steal files off my clients computers. I assume this is not an issue with eval(), since eval wont execute commands. - What exactly can someone do by modifying my code string in a command like: thing = eval(code{"__builtins__":None},{}), anything other than assign their own values to the object thing?
eval and exec are the same. Don't use either with strings from a web page. Try using a simple format for you data, such as CSV. Jean-Paul -- http://mail.python.org/mailman/listinfo/python-list
