Re: Question about ast.literal_eval

Discussion in 'Python' started by Frank Millman, May 20, 2013.

  1. On 20/05/2013 09:55, Carlos Nepomuceno wrote:
    > ----------------------------------------
    >>>
    >>> Why don't you use eval()?
    >>>

    >>
    >> Because users can create their own columns, with their own constraints.
    >> Therefore the string is user-modifiable, so it cannot be trusted.

    >
    > I understand your motivation but I don't know what protection ast.literal_eval() is offering that eval() doesn't.
    >


    Quoting from the manual -

    "Safely evaluate an expression node or a string containing a Python
    expression. The string or node provided may only consist of the
    following Python literal structures: strings, bytes, numbers, tuples,
    lists, dicts, sets, booleans, and None."

    The operative word is 'safely'. I don't know the details, but it
    prevents the kinds of exploits that can be carried out by malicious code
    using eval().

    I believe it is the same problem as SQL injection, which is solved by
    using parameterised queries.

    Frank
     
    Frank Millman, May 20, 2013
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Frank Millman

    Question about ast.literal_eval

    Frank Millman, May 20, 2013, in forum: Python
    Replies:
    2
    Views:
    135
    Frank Millman
    May 21, 2013
  2. Carlos Nepomuceno

    RE: Question about ast.literal_eval

    Carlos Nepomuceno, May 20, 2013, in forum: Python
    Replies:
    0
    Views:
    82
    Carlos Nepomuceno
    May 20, 2013
  3. Chris Angelico

    Re: Question about ast.literal_eval

    Chris Angelico, May 20, 2013, in forum: Python
    Replies:
    0
    Views:
    97
    Chris Angelico
    May 20, 2013
  4. Frank Millman

    Re: Question about ast.literal_eval

    Frank Millman, May 20, 2013, in forum: Python
    Replies:
    0
    Views:
    92
    Frank Millman
    May 20, 2013
  5. Chris Angelico

    Re: Question about ast.literal_eval

    Chris Angelico, May 20, 2013, in forum: Python
    Replies:
    0
    Views:
    84
    Chris Angelico
    May 20, 2013
Loading...

Share This Page