Danny Yoo wrote: >>>I have a dynamic functions which created by some algorithms during >>>runtime. These functions are in string type. When I want to use it, I >>>can use eval command. But can someone give me more suggestion about >>>how to handle this problem, I want to avoid eval. >>> >>> >>Why avoid? It seems the simplest way. >> >> > >Hi Colin, > >The problem is that an eval()-like is too powerful for most programmers to >use safely. It's danger is not a Python-specific issue, but common to any >language that provides an eval() on arbitrary strings. > > http://en.wikipedia.org/wiki/Eval#Security_risks > >This aversion to eval() isn't based on some theoretical worry; the PHP >folks got hit by exploits that targeted eval-using code just a few months >ago. Read the "Security" section of: > > http://phpxmlrpc.sourceforge.net/#security > >to see what kind of issues eval() brings when we use it. They hit the >same conceptual problem three times before they finally got humble enough >to realize that eval() was the wrong tool. > >We have to learn from their mistakes, or else we'll make them ourselves. >*grin* > > > Danny,
You make some good points here but I suggest that, in the real world, the risks are small. You might consider using exec instead. It would appear that one can specify a restricted environment in which the statement is executed. Colin W. _______________________________________________ Tutor maillist - Tutor@python.org http://mail.python.org/mailman/listinfo/tutor
