On Aug 29, 7:42 am, Fett <[EMAIL PROTECTED]> wrote: > On Aug 28, 7:57 pm, Paul Rubin <http://[EMAIL PROTECTED]> wrote: > > So long story short: if I am expecting a dictionary of strings, I > should make a parser that only accepts a dictionary of strings then. > There is no safe way to use an existing construct. > > That is what I was afraid of. I know I will have to deal with the > possibility of bad data, but considering my use (an acronym legend for > a database), and the fact that the site I plan to use should be > secure, these issues should be minimal. The users should be able to > spot any obvious false data, and restoring it should be simple. > > Many thanks to all of you for your alarmist remarks. I certainly don't > want to, in any way, put my clients computers at risk by providing > unsafe code.
On a related note, what if I encrypted and signed the data, then only ran eval() on the string after it was decrypted and the signature verified? It has occurred to me that posting this data on a site might not be the best idea unless I can be sure that it is not read by anyone that it shouldn't be. So I figure an encrypting is needed, and as long as I can sign it as well, then only people with my private signing key could pass bad data, much less harmful strings. -- http://mail.python.org/mailman/listinfo/python-list