> Python is only as secure as the code *you* write. If you write code
> where you accept text from untrusted people over the Internet and then
> execute it as code using eval() or exec(), then your code is vulnerable
> to code injection attacks. The solution to this is simple: don't use
> eval() or exec() on untrusted data. There is hardly ever a need to use
> eval() or exec() in your own code. In 15 years, I've only used them a
> handful of times, and then mostly for experiments.
And we have to fight the good fight. There are people out there who
think that eval() is fine to teach to beginners. I do not understand
why. As a concrete example that I came across today:
https://plus.google.com/111222510165686226339/posts/jQrn9vkGxHA
Such teaching makes me very sad. We have to really fight this hard to
keep people from writing dangerous code. It's a bit frustrating
because the teacher there obviously knows enough to be dangerous, yet
not enough to be respectfully cautious.
_______________________________________________
Tutor maillist - [email protected]
To unsubscribe or change subscription options:
https://mail.python.org/mailman/listinfo/tutor
