Fredrik, thanks for your suggestion. Though the html page that are generated are for internal uses and input is verified before processing.
And more than just a solution in current context, actually I was a more curious about how can one do so in Python. cheers, amit. On 11/22/05, Fredrik Lundh <[EMAIL PROTECTED]> wrote: > Amit Khemka wrote: > > > Well actually the problem is I have a list of tuples which i cast as > > string and then put in a html page as the value of a hidden variable. > > And when i get the string again, i want to cast it back as list of tuples: > > ex: > > input: "('foo', 1, 'foobar', (3, 0)), ('foo1', 2, 'foobar1', (3, 1)), > > ('foo2', 2, 'foobar2', (3, 2))" > > output: [('foo', 1, 'foobar', (3, 0)), ('foo1', 2, 'foobar1', (3, 1)), > > ('foo2', 2, 'foobar2', (3, 2))] > > > > I hope that explains it better... > > what do you think happens if the user manipulates the field values > so they contain, say > > os.system('rm -rf /') > > or > > "'*'*1000000*2*2*2*2*2*2*2*2*2" > > or something similar? > > if you cannot cache session data on the server side, I'd > recommend inventing a custom record format, and doing your > own parsing. turning your data into e.g. > > "foo:1:foobar:3:0+foo1:2:foobar1:3:1+foo2:2:foobar2:3:2" > > is trivial, and the resulting string can be trivially parsed by a couple > of string splits and int() calls. > > to make things a little less obvious, and make it less likely that some > character in your data causes problems for the HTML parser, you can > use base64.encodestring on the result (this won't stop a hacker, of > course, so you cannot put sensitive data in this field). > > </F> > > > > -- > http://mail.python.org/mailman/listinfo/python-list > -- ---- Endless the world's turn, endless the sun's spinning Endless the quest; I turn again, back to my own beginning, And here, find rest. -- http://mail.python.org/mailman/listinfo/python-list