Re: [Tutor] Python 2.7 on Ubuntu 11.10 - Do not unintall
Heh, yeah. It's usually a bad idea to do stuff like that (I know a guy (Windows) who deleted his OS of his system). On Nov 1, 2011, at 7:40 PM, Joel Montes de Oca wrote: > I just discovered that it is a bad idea to complete uninstall Python 2.7 on > Ubuntu 11.10. If you do, expect a lot of things not to work, mainly your > system. haha > > I just reinstalled Python 2.7 and I hope things are not so bad now when I > reboot. > > -- > -Joel M. > > ___ > Tutor maillist - Tutor@python.org > To unsubscribe or change subscription options: > http://mail.python.org/mailman/listinfo/tutor ___ Tutor maillist - Tutor@python.org To unsubscribe or change subscription options: http://mail.python.org/mailman/listinfo/tutor
Re: [Tutor] Assigning variables with names set by other variables
Thanks Steven.
On Nov 4, 2011, at 6:45 PM, Steven D'Aprano wrote:
> Max S. wrote:
>> Is it possible to create a variable with a string held by another variable
>> in Python? For example,
>
> Yes, but you shouldn't do it. Seriously. Don't do this, you will regret it.
>
>var_name = input("Variable name? ") # use raw_input in Python 2
>exec("%s = 4" % var_name)
>
>
> Instead, you should use a dictionary, like this:
>
>var_name = input("Variable name? ")
>table = {var_name: 4}
>
> and then later when you need to retrieve the value:
>
>print(table[var_name])
>
>
>
> Why shouldn't you use exec?
>
> Three main reasons:
>
> (1) This code contains a MAJOR vulnerability to a code injection attack.
> There are enough code injection vulnerabilities in the world without you
> adding to it, please don't add another.
>
> (2) It makes for hard to read, difficult to follow code.
>
> (3) It's slow.
>
>
> If you don't know what code injection attacks means, consider this simple
> example where I create a variable spam=4 while executing any code I like:
>
> >>> var_name = input('Enter the variable name: ')
> Enter the variable name: print(123*456); spam
> >>> exec("%s = 4" % var_name)
> 56088
> >>> spam
> 4
>
>
> In this case, executing "print(123*456)" is harmless, but annoying, but it
> could do *anything* that Python can do (which is pretty much *anything at
> all*: delete files, send email, take over your computer, anything). Code
> injection attacks are among the two or three most common methods that viruses
> and malware operate.
>
> Sanitising user input so it is safe to pass to exec is a hard job. But
> suppose you do it (somehow!):
>
>var_name = sanitise(input('Enter the variable name: '))
>exec("%s = 4" % var_name)
># ...
># ... later on
># ...
>print(spam+1) # do something useful with the new variable
>
> But wait, that can't work! How do you know that the variable is called
> "spam"? You don't. It could be called anything. So now you have to do this:
>
>exec("print(%s+1)" % var_name)
>
> which is a nuisance, it is harder to read and harder to follow, and defeats
> any of the useful features in your editor or IDE. It gets worse if you need
> to use this var_name repeatedly:
>
>exec("print(%s+1)" % var_name)
>exec("my_list = [1, 2, 3, %s, 5]" % var_name)
>print(my_list)
>exec("y = func(23, %s, 42) + %s" % (var_name, var_name))
>print(y)
>
> How tedious and painful and hard to follow. And it is potentially buggy: what
> if the user typed "func" as the variable name, by accident? Or over-wrote one
> of your other variables?
>
> And it's slow. Every time you call exec(), Python has to run a
> mini-interpreter over the string, analyzing it, splitting it into tokens,
> compiling it into code that can be executed, and then finally execute it. In
> general, this is slow: in my experience, running exec("command") is about 10
> times slower than just running command directly.
>
> So just avoid using exec. Anytime you think you need exec, you almost
> certainly do not. And you definitely don't need it for indirect variables!
> Just use a dictionary instead:
>
>var_name = input("Variable name? ")
>table = {var_name: 4}
># ...
># ... later on
># ...
>print(table[var_name]+1)
>my_list = [1, 2, 3, table[var_name], 5]
>print(my_list)
>y = func(23, table[var_name], 42) + table[var_name]
>print(y)
>
>
>
>
> --
> Steven
>
> ___
> Tutor maillist - Tutor@python.org
> To unsubscribe or change subscription options:
> http://mail.python.org/mailman/listinfo/tutor
___
Tutor maillist - Tutor@python.org
To unsubscribe or change subscription options:
http://mail.python.org/mailman/listinfo/tutor
Re: [Tutor] Assigning variables with names set by other variables
Thank you, Wayne! This helps a lot.
On Nov 4, 2011, at 5:38 PM, Wayne Werner wrote:
> On Fri, Nov 4, 2011 at 4:21 PM, Max S. wrote:
> Is it possible to create a variable with a string held by another variable in
> Python? For example,
>
> >>> var_name = input("Variable name: ")
> (input: 'var')
> >>> var_name = 4
> >>> print(var)
> (output: 4)
>
> (Yeah, I know that if this gets typed into Python, it won't work. It just
> pseudocode.)
>
> There are a few ways to do what you want. The most dangerous (you should
> never use this unless you are 100% absolutely, totally for certain that the
> input will be safe. Which means you should probably not use it) method is by
> using exec(), which does what it sounds like: it executes whatever is passed
> to it in a string:
>
> >>> statement = input("Variable name: ")
> Variable name: var
> >>> exec(statement + "=4")
> >>> var
> 4
>
> The (hopefully) obvious danger here is that someone could type anything into
> this statement:
>
> >>> statement = input("Variable name: ")
> Variable name: import sys; sys.exit(1); x
> >>> exec(statement + " =4")
>
> and now you're at your prompt. If the user wanted to do something more
> malicious there are commands like shutil.rmtree that could do *much* more
> damage.
>
> A much safer way is to use a dictionary:
>
> >>> safety = {}
> >>> safety[input("Variable Name: ")] = 4
> Variable Name: my_var
> >>> safety["my_var"]
> 4
>
> It requires a little more typing, but it also has the advantage of accepting
> perfectly arbitrary strings.
>
> There may be some other ways to do what you want, but hopefully that should
> get you started.
> HTH,
> Wayne
___
Tutor maillist - Tutor@python.org
To unsubscribe or change subscription options:
http://mail.python.org/mailman/listinfo/tutor
Re: [Tutor] Saving read-only or encoded text files?
Thank you. This will work perfectly. On Nov 18, 2011, at 11:58 AM, Prasad, Ramit wrote: > Hi. I've been using a lot of text files recently, and I'm starting to worry > about a user hacking some element by editing the text files. I know that I > can pickle my data instead, creating less easily editable (try saying that > five times fast) .dat files, but I'd rather store individual variables rather > than lists of objects. Is there a way to make my text files either read-only > or saved in some way that they can't be opened, or at least not so easily as > double-clicking on them? I just want some slightly more secure code, though > it's not too important. I just thought I'd ask. > == > > Any file will eventually be able to be reverse engineered, but it matters how > much effort you care to obfuscate it. The way you can do it will vary based > on your OS. > > For Windows, you can change the file extension to something that is not read > by most text editors '.zxy'. It will still be able to be read if they try and > open it with a text editor, but double clicking will not work by default. > You can also try setting the file attribute directly: > http://code.activestate.com/recipes/303343-changing-file-attributes-on-windows/ > > > For *nix/OS X, you can prepend the file with "." as those files are hidden by > default on most *nix systems I have used. You can also try to use > os.chmod(0###, 'filename'). > > > Keep in mind that all of these solutions are probably user reversible since > the application will have the permissions of the user account it is run as; > in most cases this is the same as the logged in user. > > > > Ramit > > > Ramit Prasad | JPMorgan Chase Investment Bank | Currencies Technology > 712 Main Street | Houston, TX 77002 > work phone: 713 - 216 - 5423 > > -- > This email is confidential and subject to important disclaimers and > conditions including on offers for the purchase or sale of > securities, accuracy and completeness of information, viruses, > confidentiality, legal privilege, and legal entity disclaimers, > available at http://www.jpmorgan.com/pages/disclosures/email. > ___ > Tutor maillist - Tutor@python.org > To unsubscribe or change subscription options: > http://mail.python.org/mailman/listinfo/tutor ___ Tutor maillist - Tutor@python.org To unsubscribe or change subscription options: http://mail.python.org/mailman/listinfo/tutor
Re: [Tutor] why doesn't python show error
In some cases, it is a useful fact that Python only shows error messages when
they are encountered. For example, I can test a program while keeping away
from an area that still doesn't work, rather than having to make it work
flawlessly before my first test.
Python *can* generate executables with py2exe, though if you use Python 3
you'll need to learn to convert your code to Python 2. Or, as Blender does,
you could include Python in the download of your program, so that the user
installs both your program and Python.
On Nov 28, 2011, at 4:53 AM, surya k wrote:
>
> 1. Why doesn't python show error(description given below) at the beginning
> when we use functions which aren't present in the standard modules...
>
> Example:
>
> TheString = raw_input('enter a string')lengthofStr = strlen(TheString)Look
> closely, I used a wrong function to find length of the string. [ strlen( )
> belongs to C ].When I run the program, it didn't show any error but when
> entered input, it then showed up!.Why python doesn't show error at the
> beginning just like C does?2. Why doesn't python create executable file (.exe
> ) when we run the code.. If this doesn't do, how can I share my program..
> does everyone need to have python to check others code and know what it does?
>
> ___
> Tutor maillist - Tutor@python.org
> To unsubscribe or change subscription options:
> http://mail.python.org/mailman/listinfo/tutor
___
Tutor maillist - Tutor@python.org
To unsubscribe or change subscription options:
http://mail.python.org/mailman/listinfo/tutor
Re: [Tutor] Need Explanation...
On Dec 10, 2011, at 12:04 PM, Alan Gauld wrote: > On 10/12/11 16:46, Steven D'Aprano wrote: > >> ...the alternative would also have caught out everybody at some point. >> Consider a hypothetical Python where mutator methods returned a result: >> >> a = [1, 2, 3] >> b = a.append(4) >> >> Does this mean...? >> >> * append 4 to a, then return a (and therefore a and b are >> alternative names for the same list) > > This is what I'd expect. > I'm thinking about the Smalltalk model where the default return > value from a method is self... > > I'm particularly sensitive to this just now because I'm playing > with Squeak (again) and the elegance and consistency of > Smalltalk's mechanism stands in stark contrast to the mixed > model in Python. (OTOH Smalltalk overall is a frustrating > experience for me, I would like to love it but never quite > get there... :-) Personally, I found that returning a copy of a seemed more logical- after all, if you return 4 to b, then adding 2 to b wouldn't make 4 equal 6. > >> circumstances, regardless of which behaviour was choosen for append, it >> would catch out some people some time. > > Probably, although if returning 'self' were the default (which > of course only makes sense in a pure OO world like Smalltalk) people would > get used to the semantics. Consistency is all in these kinds of situations. > Sadly its one of the few areas where Python is slightly inconsistent. > >> A better alternative would be for Python to have procedures as well as >> functions/methods, so that: >> >> b = a.append(4) >> >> would raise an exception immediately. > > Better than silently returning None for sure. Of course, by silently returning None, you can just go on with your daily life and be happily ignorant of any return value; in other more strongly typed languages, the void functions/methods tend to alter other variables and situations more than, for example, ints. I feel myself that it is no more trouble to simply type 'a.append(4); b = a'. > > -- > Alan G > Author of the Learn to Program web site > http://www.alan-g.me.uk/ > > ___ > Tutor maillist - Tutor@python.org > To unsubscribe or change subscription options: > http://mail.python.org/mailman/listinfo/tutor ___ Tutor maillist - Tutor@python.org To unsubscribe or change subscription options: http://mail.python.org/mailman/listinfo/tutor
