RE: Question about ast.literal_eval

Discussion in 'Python' started by Carlos Nepomuceno, May 20, 2013.

  1. ----------------------------------------
    > To:
    > From:
    > Subject: Re: Question about ast.literal_eval
    > Date: Mon, 20 May 2013 09:50:02 +0200
    >
    > [Corrected top-posting]
    >
    >>> To:
    >>> From:
    >>> Subject: Question about ast.literal_eval
    >>> Date: Mon, 20 May 2013 09:05:48 +0200
    >>>
    >>> Hi all
    >>>
    >>> I am trying to emulate a SQL check constraint in Python. Quoting from
    >>> the PostgreSQL docs, "A check constraint is the most generic constraint
    >>> type. It allows you to specify that the value in a certain column must
    >>> satisfy a Boolean (truth-value) expression."
    >>>
    >>> The problem is that I want to store the constraint as a string, and I
    >>> was hoping to use ast.literal_eval to evaluate it, but it does not work.
    >>>

    >
    > On 20/05/2013 09:34, Carlos Nepomuceno wrote:
    >
    >> It seems to me you can't use ast.literal_eval()[1] to evaluate that kindof expression
    >> because it's just for literals[2].
    >>
    >> Why don't you use eval()?
    >>

    >
    > Because users can create their own columns, with their own constraints.
    > Therefore the string is user-modifiable, so it cannot be trusted.


    I understand your motivation but I don't know what protection ast.literal_eval() is offering that eval() doesn't.

    > Frank
    >
    >
    > --
    > http://mail.python.org/mailman/listinfo/python-list
    Carlos Nepomuceno, May 20, 2013
    #1
    1. Advertising

  2. On Mon, 20 May 2013 10:55:35 +0300, Carlos Nepomuceno wrote:

    > I understand your motivation but I don't know what protection
    > ast.literal_eval() is offering that eval() doesn't.


    eval will evaluate any legal Python expression:


    py> eval("__import__('os').system('echo Mwahaha! Now you are pwned!') or 42")
    Mwahaha! And now you are pwned!
    42


    ast.literal_eval() does exactly what the name says: it will evaluate any
    legal Python LITERAL, including ints, floats, lists, dicts and strings,
    but not arbitrary expressions.


    py> ast.literal_eval('123')
    123
    py> ast.literal_eval('[123, None, "spam"]')
    [123, None, 'spam']



    --
    Steven
    Steven D'Aprano, May 20, 2013
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Frank Millman

    Question about ast.literal_eval

    Frank Millman, May 20, 2013, in forum: Python
    Replies:
    2
    Views:
    125
    Frank Millman
    May 21, 2013
  2. Carlos Nepomuceno

    RE: Question about ast.literal_eval

    Carlos Nepomuceno, May 20, 2013, in forum: Python
    Replies:
    0
    Views:
    70
    Carlos Nepomuceno
    May 20, 2013
  3. Chris Angelico

    Re: Question about ast.literal_eval

    Chris Angelico, May 20, 2013, in forum: Python
    Replies:
    0
    Views:
    86
    Chris Angelico
    May 20, 2013
  4. Frank Millman

    Re: Question about ast.literal_eval

    Frank Millman, May 20, 2013, in forum: Python
    Replies:
    0
    Views:
    80
    Frank Millman
    May 20, 2013
  5. Chris Angelico

    Re: Question about ast.literal_eval

    Chris Angelico, May 20, 2013, in forum: Python
    Replies:
    0
    Views:
    72
    Chris Angelico
    May 20, 2013
Loading...

Share This Page