Hm, I'm not sure I see your point. Could an evil hacker not just as easily
change the dictionary in the python code (or somewhere else in the code) to
perform such evil operations?
--C
2007/3/5, ALAN GAULD <[EMAIL PROTECTED]>:
> That's neat. When just the function call is the string,
> eval() seems appropriate. (For example, if reading what
> function to call from a file.)
Its conventient but incredibly dangerous.
Its much better in that case to create a dictionary of allowed
(ie safe!) functions that can vbe read and then look that up
from the file input.
Otherwise anyone who can access the file (legitimately or
otherwise) can start calling any of the standard Python functions,
including os.unlink() to delete files, or even os.system(), to do
just about anything - howsabout formatting your disk?
ok_funks = {
'some_func' : some_func,
'another_func': another_func,
'some_fancy_name': sys.exit
}
func = raw_input('type a function name>')
try: ok_funks[func']()
except: print 'Thats not a valid function'
eval and exec are seductively powerful but they are immensely
dangerous in a world of crackers and virus makers. They should
only ever be used in strictly controlled scebnarios and even then
as a last resort.
HTH,
Alan G.
------------------------------
The all-new Yahoo!
Mail<http://us.rd.yahoo.com/mail/uk/taglines/default/nowyoucan/free_from_isp/*http://us.rd.yahoo.com/evt=40565/*http://uk.docs.yahoo.com/nowyoucan.html>goes
wherever you go - free your email address from your Internet provider.
--
E. Cecilia Alm
Graduate student, Dept. of Linguistics, UIUC
Office: 2013 Beckman Institute
_______________________________________________
Tutor maillist - Tutor@python.org
http://mail.python.org/mailman/listinfo/tutor
