On Sat, 14 Jan 2006 16:58:55 -0500, Mike Meyer <[EMAIL PROTECTED]> wrote: >"Giovanni Bajo" <[EMAIL PROTECTED]> writes: >> [EMAIL PROTECTED] wrote: >>> Try... >>>>>> for i in bytes: print ord(i) >>> or >>>>>> len(bytes) >>> What you see isn't always what you have. Your database is capable of >>> storing \ x 0 0 characters, but your string contains a single byte of >>> value zero. When Python displays the string representation to you, it >>> escapes the values so they can be displayed. >> He can still store the repr of the string into the database, and then >> reconstruct it with eval: > >repr and eval are overkill for this, and as as result create a >security hole. Using encode('string-escape') and >decode('string-escape') will do the same job without the security >hole:
Using marshal at all introduces a similar security hole, so security is not an argument against repr()/eval() in this context. Jean-Paul -- http://mail.python.org/mailman/listinfo/python-list