On Thu, 28 Aug 2008 14:51:57 -0700 (PDT), Fett <fettmanchu@gma il.comwrote:
eval and exec are the same. Don't use either with strings from a web page.
Try using a simple format for you data, such as CSV.
Jean-Paul
>I am creating a program that requires some data that must be kept up
>to date. What I plan is to put this data up on a web-site then have
>the program periodically pull the data off the web-site.
>
>My problem is that when I pull the data (currently stored as a
>dictionary on the site) off the site, it is a string, I can use eval()
>to make that string into a dictionary, and everything is great.
>However, this means that I am using eval() on some string on a web-
>site, which seems pretty un-safe.
>
>I read that by using eval(code,{"__b uiltins__":None },{}) I can prevent
>them from using pretty much anything, and my nested dictionary of
>strings is still allowable. What I want to know is:
>
>What are the dangers of eval?
>- I originally was using exec() but switched to eval() because I
>didn't want some hacker to be able to delete/steal files off my
>clients computers. I assume this is not an issue with eval(), since
>eval wont execute commands.
>- What exactly can someone do by modifying my code string in a command
>like: thing = eval(code{"__bu iltins__":None} ,{}), anything other than
>assign their own values to the object thing?
>to date. What I plan is to put this data up on a web-site then have
>the program periodically pull the data off the web-site.
>
>My problem is that when I pull the data (currently stored as a
>dictionary on the site) off the site, it is a string, I can use eval()
>to make that string into a dictionary, and everything is great.
>However, this means that I am using eval() on some string on a web-
>site, which seems pretty un-safe.
>
>I read that by using eval(code,{"__b uiltins__":None },{}) I can prevent
>them from using pretty much anything, and my nested dictionary of
>strings is still allowable. What I want to know is:
>
>What are the dangers of eval?
>- I originally was using exec() but switched to eval() because I
>didn't want some hacker to be able to delete/steal files off my
>clients computers. I assume this is not an issue with eval(), since
>eval wont execute commands.
>- What exactly can someone do by modifying my code string in a command
>like: thing = eval(code{"__bu iltins__":None} ,{}), anything other than
>assign their own values to the object thing?
Try using a simple format for you data, such as CSV.
Jean-Paul