bhaaluu wrote: > The original poster posted a post with the following function: > def dec(): > import string > message=raw_input("Enter the message to decode: ") > result='' > for x in string.split(message): > result=result+chr(eval(x)) > return result > > print dec() > which is from the book: > "Python programming: An introduction to CS" by John M. Zelle. > > As a Python Noob, I'm obviously ignorant of most of the Python > language, but I wonder why the author of a book would include > a function that is a "gaping security hole," when the int() function > would do the job just as nicely, and without the security concerns?
I can't answer for Mr Zelle. Looking at the book, he introduces int(), float() and long() shortly after the section containing the above example. > > Of course, I don't know what context the snippet is in because I > don't have a copy of the book in question. But as a Python Noob, > I really do appreciate your heads-up about eval(), and I have it > red-flagged as a 'gaping security' concern, and will use it with > extreme caution in the future. =) Good. There is almost always a better way to accomplish a task than to use eval(). > Now for MY question: Besides eval(), are there other functions that > should be 'red-flagged' as well? I just haven't been around Python > long enough yet to become familiar with all of the Standard Library. > Correct me if I'm wrong, but with 29 keywords, and over 176 library > functions, Python weighs-in at over 200 Standard "objects"? Anything where user input is executed as code is a security hole and should never be opened to untrusted users. eval() exec execfile() come to mind. Kent _______________________________________________ Tutor maillist - Tutor@python.org http://mail.python.org/mailman/listinfo/tutor