> Subject: announce: FAQs suggested ... > http://effbot.org/pyfaq/suggest.htm has new FAQ's ... > FAQ: How do I calculate what quoted strings and numbers mean? > > A: eval(source, {'builtins': {}}) works, without also accidentally > accepting OS commands as input. > > Note: Eval might surprise you if you mistype this idiom as: eval(source, {}). > > Note: This idiom makes sense of ordinary Python literals (such as 010, 0x8, > 8.125e+0, and "\x45ight"). This idiom also correctly interprets simple > literal expressions, such as 64**0.5.
That suggested FAQ is misleadingly incorrect as stated - we need help rewording it. /F correctly commented: "eval" is never a good choice if you cannot trust the source; it's trivial to do various denial-of-service attacks. See http://effbot.org/zone/librarybook-core-eval.htm Correspondingly, newbie me, I actually did copy the eval(source, {'builtins': {}}) idiom into some code from that page without noticing the comments re the cost of evaluating literal expressions like 'a' * (10**9) , abuses of __subclass__ and mro(), etc. But those objections miss the point. Having had those troubles explained to me now, I'm still leaving my code unchanged - it still does what I mean. That is, eval(source, {'builtins': {}}) works enough like an evaluator of literals to let you duck the work of writing that evaluator until you need it. Yagni. That's useful, and likely an FAQ. Anybody out there able to say concisely what we really mean to say here? Thanks in advance, Pat LaVarre -- http://mail.python.org/mailman/listinfo/python-list