Carl Banks wrote: > Delaney, Timothy (Tim) wrote: >> Steve Lianoglou wrote: >> >>> So, for instance, you can write: >>> my_list = eval('[1,2,3,4]') >> >> This is just asking for trouble. >> >> my_list = eval('import shutil; shutil.rmtree('/')') > > Fortunately, that won't work because eval expects an expression. > Unfortunately, this will: > > my_list = eval('__import__("shutil").rmtree("/")')
Yeah - forgot the specifics in getting the point across ;) To answer the other question - when should you use eval? When the risk/reward warrants it. What is the risk of using eval (or exec) on untrusted code? Note that you *have* to decide where the line is drawn, because effectively all .py files run through the same process (not quite, but I hope you can see where I'm going). For me, the line in nearly every case is to not use eval/exec - use something else that validates - like int(). Tim Delaney -- http://mail.python.org/mailman/listinfo/python-list