Re: Python Testimonials With Proofs

2020-01-19 Thread Abdur-Rahmaan Janhangeer 
Also started editing https://wiki.python.org/moin/OrganizationsUsingPython

Most quotes over there don't have references.

Yours,

Abdur-Rahmaan Janhangeer
pythonmembers.club  | github

Mauritius


On Sun, Jan 19, 2020 at 10:59 AM Abdur-Rahmaan Janhangeer <
[email protected]> wrote:

> Greetings list,
>
> while exploring zipapp, i came across this quote on Shiv's docs:
>
> < in our data-centers and all of our employees workstations. The vast
> majority of these utilties are written in Python.>>
>
> Starting with that, i compiled top companies quotes like instagram, quora,
> netflix, facebook etc on Python.
>
> https://github.com/Abdur-rahmaanJ/pytestimonials
>
> All quotes have original sources.
>
> I deliberately left out Peter Norvig's quote about Google as i could not
> find the source.
>
> I was driving with someone yesterday when i remembered this list and was
> telling him about Python at quora etc. He was amazed as he sincerely did
> not know Python was being used for serious stuffs at great companies.
>
> Feel free to add more.
>
> Yours,
>
> Abdur-Rahmaan Janhangeer
> pythonmembers.club  | github
> 
> Mauritius
>
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Debian Buster: ModuleNotFoundError: No module named 'mysql'

2020-01-19 Thread 황병희 
^Bart  writes:

>> pip is probably defaulting to Python 2.7. Try using pip3, or this more
>> explicit syntax:
>
> Now it works!
>
> Python 3.7.3 (default, Apr  3 2019, 05:39:12)
> [GCC 8.3.0] on linux
> Type "help", "copyright", "credits" or "license()" for more information.

> == RESTART: /home/gabriele/Corso_4.0/Python/Test_MySQL2.py
> ==
> 


Wow, what a beautiful Debian-Python ^^^

Sincerely, Linux fan Byung-Hee

-- 
^고맙습니다 _地平天成_ 감사합니다_^))//
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: How to hide warning about drop table message to MariaDB

2020-01-19 Thread Python 

^Bart wrote:

I ran this code:

#!/usr/bin/python
import MySQLdb

# Open database connection
db = MySQLdb.connect("localhost","root","MyPwd","MyDB")

# prepare a cursor object using cursor() method
cursor = db.cursor()

# Drop table if it already exist using execute() method.
cursor.execute("DROP TABLE IF EXISTS EMPLOYEE")

# Create table as per requirement
sql = """CREATE TABLE EMPLOYEE (
  FIRST_NAME  CHAR(20) NOT NULL,
  LAST_NAME  CHAR(20),
  AGE INT,
  SEX CHAR(1),
  INCOME FLOAT )"""

cursor.execute(sql)

# disconnect from server
db.close()

The table is created but I have also the below warning and I'd like to 
hide it:


Warning (from warnings module):
   File "/home/gabriele/Corso_4.0/Python/MySQL_create_table.py", line 11
     cursor.execute("DROP TABLE IF EXISTS EMPLOYEE")
Warning: (1051, "Unknown table 'gabfood.EMPLOYEE'")
 >>>


import warnings

with warnings.catch_warnings():
warnings.simplefilter("ignore")
# your code
--
https://mail.python.org/mailman/listinfo/python-list

Sandboxing eval() (was: Calculator)

2020-01-19 Thread musbur 
Is it actually possible to build a "sandbox" around eval, permitting it
only to do some arithmetic and use some math functions, but no
filesystem acces or module imports?

I have an application that loads calculation recipes (a few lines of
variable assignments and arithmetic) from a database. 

exec(string, globals, locals)

with locals containing the input variables, and globals has a
__builtin__ object with a few math functions. It works, but is it safe?
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Sandboxing eval() (was: Calculator)

2020-01-19 Thread Paul Moore 
On Sun, 19 Jan 2020 at 17:45,  wrote:
>
> Is it actually possible to build a "sandbox" around eval, permitting it
> only to do some arithmetic and use some math functions, but no
> filesystem acces or module imports?

No. This has been tried before, and it simply isn't safe in the face
of malicious input.

> I have an application that loads calculation recipes (a few lines of
> variable assignments and arithmetic) from a database.
>
> exec(string, globals, locals)
>
> with locals containing the input variables, and globals has a
> __builtin__ object with a few math functions. It works, but is it safe?

If you trust the source, it's OK, but a creative attacker who had the
ability to create a recipe could execute arbitrary code.

If you require safety, you really need to write your own parser/evaluator.

Paul
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Sandboxing eval()

2020-01-19 Thread MRAB 

On 2020-01-19 17:35, [email protected] wrote:

Is it actually possible to build a "sandbox" around eval, permitting it
only to do some arithmetic and use some math functions, but no
filesystem acces or module imports?

I have an application that loads calculation recipes (a few lines of
variable assignments and arithmetic) from a database.

exec(string, globals, locals)

with locals containing the input variables, and globals has a
__builtin__ object with a few math functions. It works, but is it safe?


There have been some attempts, but they've all been defeated.
--
https://mail.python.org/mailman/listinfo/python-list

Re: Sandboxing eval() (was: Calculator)

2020-01-19 Thread Jon Ribbens via Python-list 
On 2020-01-19, [email protected]  wrote:
> Is it actually possible to build a "sandbox" around eval, permitting it
> only to do some arithmetic and use some math functions, but no
> filesystem acces or module imports?
>
> I have an application that loads calculation recipes (a few lines of
> variable assignments and arithmetic) from a database. 
>
> exec(string, globals, locals)
>
> with locals containing the input variables, and globals has a
> __builtin__ object with a few math functions. It works, but is it safe?

No, not even slightly. If you want to do this you need to write your
own interpreter that runs your own domain-specific language.
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: Sandboxing eval() (was: Calculator)

2020-01-19 Thread Chris Angelico 
On Mon, Jan 20, 2020 at 4:43 AM  wrote:
>
> Is it actually possible to build a "sandbox" around eval, permitting it
> only to do some arithmetic and use some math functions, but no
> filesystem acces or module imports?
>
> I have an application that loads calculation recipes (a few lines of
> variable assignments and arithmetic) from a database.
>
> exec(string, globals, locals)
>
> with locals containing the input variables, and globals has a
> __builtin__ object with a few math functions. It works, but is it safe?

As such? No. However, there are some elegant hybrid options, where you
can make use of the Python parser to do some of your work, and then
look at the abstract syntax tree. What you'd be doing is something
similar to ast.literal_eval, but with a few more permitted options.
For instance, you might allow Name nodes as long as the name is part
of a whitelist, and allow BinOp, but not allow Attribute lookup. (It
would be easiest if you make all your math functions available as
simple names - "log" not "math.log" - to make this easy.) Once you've
parsed the expression to an abstract syntax tree, then walked the tree
and made sure everything fits your requirements, you can then compile
it the rest of the way and run it.

It's a lot more work than simply calling eval, but it's a lot less
than trying to build your own parser from scratch and try to make it
flexible enough to be useful.

Research the "ast" module for some ideas on what you can do.

ChrisA
-- 
https://mail.python.org/mailman/listinfo/python-list

Re: How to hide warning about drop table message to MariaDB

2020-01-19 Thread DL Neil via Python-list 

On 20/01/20 4:35 AM, Python wrote:

^Bart wrote:

I ran this code:

#!/usr/bin/python
import MySQLdb

# Open database connection
db = MySQLdb.connect("localhost","root","MyPwd","MyDB")

# prepare a cursor object using cursor() method
cursor = db.cursor()

# Drop table if it already exist using execute() method.
cursor.execute("DROP TABLE IF EXISTS EMPLOYEE")

# Create table as per requirement
sql = """CREATE TABLE EMPLOYEE (
  FIRST_NAME  CHAR(20) NOT NULL,
  LAST_NAME  CHAR(20),
  AGE INT,
  SEX CHAR(1),
  INCOME FLOAT )"""

cursor.execute(sql)

# disconnect from server
db.close()

The table is created but I have also the below warning and I'd like to 
hide it:


Warning (from warnings module):
   File "/home/gabriele/Corso_4.0/Python/MySQL_create_table.py", line 11
 cursor.execute("DROP TABLE IF EXISTS EMPLOYEE")
Warning: (1051, "Unknown table 'gabfood.EMPLOYEE'")
 >>>


import warnings

with warnings.catch_warnings():
     warnings.simplefilter("ignore")
     # your code



Recommend starting at the source (hah!) of the problem: MySQL!
(above includes (small!) risk of Python warnings becoming wrapped-up in 
what is actually a MySQL-specific  'problem')


NB I use the MySQL Connector/Python, downloaded from the MySQL Dev site 
(also source of useful manuals).
- intriguingly I've always understood the manuals to say that raising 
Warnings is False, ie suppressed; yet history shows that the behavior 
is/has always been (to my recollection) that Warnings are raised...
- similarly, we both seem to expect that if the SQL includes "IF EXISTS" 
we've already foreseen and wish to side-step the problem???



Option 1:
Amongst the connector's batteries-included are a bunch of Exception 
classes including "mysql.connector.errors.Warning". These enable queries 
to be wrapped in try-except blocks, eg:


try:
cursor.execute(sql)
except MySQL_warning:
# which could be more precise, as you desire
# ie check tbl != exist, then pass


Option 2:
Please review the MySQL Connectors and APIs guide (or the Python-only 
version). You will find Section 7.5 "Connector/Python Coding Examples" 
illustrative. (there are also some (rather thin) tutorials - but better 
than nothing!). Section 7.9 "Connector/Python API Reference" offers 
additional MySQL 'commands' which you might use to suppress the Warning 
before it is raised.


--
Regards =dn
--
https://mail.python.org/mailman/listinfo/python-list

How to hide warning about drop table message to MariaDB

2020-01-19 Thread ^Bart 

I ran this code:

#!/usr/bin/python
import MySQLdb

# Open database connection
db = MySQLdb.connect("localhost","root","MyPwd","MyDB")

# prepare a cursor object using cursor() method
cursor = db.cursor()

# Drop table if it already exist using execute() method.
cursor.execute("DROP TABLE IF EXISTS EMPLOYEE")

# Create table as per requirement
sql = """CREATE TABLE EMPLOYEE (
 FIRST_NAME  CHAR(20) NOT NULL,
 LAST_NAME  CHAR(20),
 AGE INT,
 SEX CHAR(1),
 INCOME FLOAT )"""

cursor.execute(sql)

# disconnect from server
db.close()

The table is created but I have also the below warning and I'd like to 
hide it:


Warning (from warnings module):
  File "/home/gabriele/Corso_4.0/Python/MySQL_create_table.py", line 11
cursor.execute("DROP TABLE IF EXISTS EMPLOYEE")
Warning: (1051, "Unknown table 'gabfood.EMPLOYEE'")
>>>

How could I do it?
^Bart
--
https://mail.python.org/mailman/listinfo/python-list

Re: Sandboxing eval() (was: Calculator)

2020-01-19 Thread Grant Edwards 
On 2020-01-19, Jon Ribbens via Python-list  wrote:
> On 2020-01-19, [email protected]  wrote:
>> Is it actually possible to build a "sandbox" around eval [...]
>>
>> [...]
>> 
>> It works, but is it safe?
>
> No, not even slightly. If you want to do this you need to write your
> own interpreter that runs your own domain-specific language.

And for that, one is often pointed to the ast module as a starting
point.  Here's an excerpt from an expression evaluator I wrote as part
of a two-pass symbolic assembler. [NB: it may have security issues
too, but they should be easier to find/fix than anything involving
eval()]


# evaluate an arithmetic expression in the context of the symbol table.
# only the operators in the table below are supported

import ast,operator
operators = \
{
# unary
ast.Invert: operator.invert,
ast.USub:   operator.neg,
ast.UAdd:   operator.pos,
# binary
ast.Add:operator.iadd,
ast.Sub:operator.isub,
ast.Mult:   operator.imul,
ast.Div:operator.idiv,
ast.BitXor: operator.ixor,
ast.BitAnd: operator.iand,
ast.BitOr:  operator.ior,
ast.LShift: operator.lshift,
ast.RShift: operator.rshift,
ast.Mod:operator.mod,
ast.Pow:operator.pow,
}

def _eval_expr(node):
global symbolTable, PC
if isinstance(node, ast.Name):
if node.id == "PC":
return PC
if node.id not in symbolTable:
raise Exception("name '%s' undefined" % node.id)
return symbolTable[node.id]
elif isinstance(node, ast.Num):
return node.n
elif isinstance(node, ast.Str):
if len(node.s) != 1:
raise Exception("invalid string constant '%s' must be single 
character" % node.s)
return ord(node.s[0])
elif isinstance(node, ast.operator) or isinstance(node, ast.unaryop):
if type(node) not in operators:
errormsg(repr(dir(node)))
raise Exception("illegal operator '%s" % node)
return operators[type(node)]
elif isinstance(node, ast.BinOp):
return _eval_expr(node.op)(_eval_expr(node.left), 
_eval_expr(node.right))
elif isinstance(node, ast.UnaryOp):
return _eval_expr(node.op)(_eval_expr(node.operand))
else:
raise Exception("unsupported node type %s" %  node)

def eval_expr(expr):
return _eval_expr(ast.parse(expr).body[0].value)



-- 
https://mail.python.org/mailman/listinfo/python-list