James Reynolds wrote:
Alternatively, since you aren't actually passing a "tuple" but something
that looks like a python tuple as a string, you could eval it:
Please don't give beginners terrible advice like this.
There are already too many programs vulnerable to code injection attacks
without us encouraging newbies to write more.
If anyone here doesn't know what a code injection attack is, and what it has
to do with eval and exec, then please do not write another line of code until
you have have learned.
a = "('note',2048)"
b = eval(a)
And then one day somebody finds a way of passing input like this to your web
server using that code:
"__import__('os').system('echo i got you now rm-rf')"
Say goodnight Gracie. I hope you have good backups.
--
Steven
_______________________________________________
Tutor maillist - Tutor@python.org
To unsubscribe or change subscription options:
http://mail.python.org/mailman/listinfo/tutor
