Danny Yoo <[email protected]> Wrote in message: > > Python is only as secure as the code *you* write. If you write code >> where you accept text from untrusted people over the Internet and then >> execute it as code using eval() or exec(), then your code is vulnerable >> to code injection attacks. The solution to this is simple: don't use >> eval() or exec() on untrusted data. There is hardly ever a need to use >> eval() or exec() in your own code. In 15 years, I've only used them a >> handful of times, and then mostly for experiments. > > > And we have to fight the good fight. There are people out there who > think that eval() is fine to teach to beginners. I do not understand > why. As a concrete example that I came across today: > > https://plus.google.com/111222510165686226339/posts/jQrn9vkGxHA > > Such teaching makes me very sad. We have to really fight this hard to > keep people from writing dangerous code. It's a bit frustrating > because the teacher there obviously knows enough to be dangerous, yet > not enough to be respectfully cautious. > _______________________________________________ > Tutor maillist - [email protected] > To unsubscribe or change subscription options: > https://mail.python.org/mailman/listinfo/tutor > >
I tried to leave the following comment on that site, but cannot figure how to use Google+ from a tablet. I left it somewhere, but apparently not on that page. Why not introduce ast.literal-eval () ? It's a whole lot safer than eval () -- DaveA _______________________________________________ Tutor maillist - [email protected] To unsubscribe or change subscription options: https://mail.python.org/mailman/listinfo/tutor
