On 20/05/2013 09:55, Carlos Nepomuceno wrote:
----------------------------------------
Why don't you use eval()?
Because users can create their own columns, with their own constraints.
Therefore the string is user-modifiable, so it cannot be trusted.
I understand your motivation but I don't know what protection
ast.literal_eval() is offering that eval() doesn't.
Quoting from the manual -
"Safely evaluate an expression node or a string containing a Python
expression. The string or node provided may only consist of the
following Python literal structures: strings, bytes, numbers, tuples,
lists, dicts, sets, booleans, and None."
The operative word is 'safely'. I don't know the details, but it
prevents the kinds of exploits that can be carried out by malicious code
using eval().
I believe it is the same problem as SQL injection, which is solved by
using parameterised queries.
Frank
--
http://mail.python.org/mailman/listinfo/python-list
